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PATENT COOPERATION TREATY 



From the INTERNATIONAL BUREAU 



PCT 


To: 


MrvnciPATinN nF Fl FPTION 


Assistant Commissioner for Patents 




United States Patent and Trademark 


(PCT Rule 61.2) 


Office 


Box PCT 




Washington, D.C.20231 




ETATS-UNIS D'AMERIQUE 


Date of mailing (day/month/year) 


in its capacity as elected Office 


10 Anril 900(1 /19 fid CiO\ 


International application No. 


Anrkltrtant'c nr anont'c flip* rpforPllOP 


PCT/IT99/00262 


RM/X89340/PC 


International filing date (day/month/year) 


Priority date (day/month/year) 


11 August 1999 (11.08.99) 


12 August 1998(12.08.98) 


Applicant 




ARCIERI, Franco et at 




1 . The designated Office is hereby notified of its election made: 


|~X| in the demand filed with the International Preliminary Examining Authority on: 


09 March 2000 (09.03.00) 


| | in a notice effecting later election filed with the International Bureau on: 


2. The election | X | was 




[ | was not 




made before the expiration of 19 months from the priority date or, where Rule 32 applies, within the time limit under 


Rule 32.2(b). 






Authorized officer 


The International Bureau of WIPO 




34, chemin des Colombettes 


Olivia RANAIVOJAONA 


1211 Geneva 20, Switzerland 




Facsimile No.: (41-22) 740.14.35 


Telephone No.: (41-22) 338.83.38 


Form PCT/IB/331 (July 1992) 


IT9900262 



EL652176667US 



Vie demand must be filed directly with the competent International Preliminary Examining Authority 6r, 
widt the one r L *- '* ------ * •* • - - 

n> EA /JEP 



09/762540 

or, if two or more Audioriaas are conmet„. 



wU, theone chosen by the applicant The jut name or too-Utter code oj tint Au^oHtyn^be^ateYb^^ #bZfcfe2T 



PCT 

DEMAND 



CHAPTER II 



under Article 3 1 of the Patent Cooperation Treaty- 
The undersigned requests that the international application specified below be the subject of 
international preliminary examination according to the Patent Cooperation Treatv and 
hereby elects all eligible States (except where otherwise indicated) 



For International Preliminary Examining Authority use only 



Box No. I IDENTIFICATION OF THE INTERNATIONAL APPLICATION 


Applicant's or agent's file reference 
RM/X89340/PC 


International application No. 

PCT/IT99/00262 
Title of invention 


International filing date (day/ month/year) 

11 August 1999 


(Earliest) Priority date (day/ month/year) 

11 August 1998 



Network access control device through fast recognition of application frames 



Box No. II APPLICANT(S) 



Name and address: family name fokoved by given name; for a legal entity, jhll official designation. 
The address must include postal code and name of country.) 

ALASI Df ARCIERI FRANCO & C. s.a.s. 
Via Mario Chiri 25 
00171 Roma 
ITALY 



State (that is, country) of nationality: 
ITALY 



Telephone No.: 



Facsimile No.: 



Teleprinter No.: 



State (that is, country) of residence: 
ITALY 



Name and address: (Family namefoUovted by given name; for a legal entity, full official designation. The address must include postal code and name ofcountry.) 

ARCIERI Franco 
Via Mario Chiri 25 
00171 Roma 
ITALY 



State (that is, country) of nationality: 
ITALY 



State (that is, country) of residence: 
ITALY 



Name and address: (Family name followed by given name; for a legal entity, full official designation. The address must include postal code and name of country.) 

MARINELLI Guido Maria 
Via Squillace 108 
00178 Roma 
ITALY 



State (diat is, country) of nationality: 
ITALY 


State (that is, country) of residence: 
ITALY 


f*l further applicants arc indicated on a continuation sheet. 


Form PCT/U'bA^O ] (tirst sheet) (July 1998: reprint January 2000) 


See tVotes to the demand form 



Sheet No. 2. 



International application No. 

PCT/IT99/00262 



Continuation of Box No. II APPLICANT(S) 



If none of the following sub-boxes is used this sheet should not be included in the demand 



Name and address: (Family name followed by given name; for a legal entity, fill official designation. The address must include postal code and name of country.) 

TALAMO Maurizio 

Via Emanuele Filiberto 233 

00185 Roma 

ITALY 



State (that is, country) of nationality: 

ITALY 



State (that is, country) of residence: 
ITALY 



Name and address: (Family name foUo^-ed by given name; for a legal entity, full official designation. The address must include postal code and. name of country.) 



State (that is, country) of nationality: 



State (that is, country) of residence: 



Name and address: (Family name followed by given name; for a legal entity, full official designation. The address must include postal code and name of country.) 



State (that is, country) of nationality: 



State (that is, country) of residence: 



Name and address: (Family name followed by given name; for a legal entity, fiill official designation. The address must include postal code and name of country.) 



State (that is, country) of nationality: 



State (diatis, country) of residence: 



I | Further applicants are indicated on another continuation sheet. 



Form PCT/lPEA/401 (continuation sheet) (July 1 998; reprint January 2000) 



See Notes to die demand form 



V 



Sheet No. . 



International application No. 

PCT/IT99/00262 



Box No. Ill AGENT OR COMMON REPRESENTATIVE; OR ADDRESS FOR CORRESPONDENCE 



The following person is [y] agent Q common representative 

and [X] has been appointed earlier and represents the applicant(s) also for international preliminary examination 

□ 

is hereby appointed and any earlier appointment of (an) agent(s)/common representative is hereby revoked. 

□ J? hc r c by appointed, specifically for the procedure before the International Preliminary Examining Authority, in addition to 
the agent(sycommon representative appointed earlier. 



Name and address: (Family name followed by given name; for a legal entity, full official designation 
The address must include postal code and name of country.) 



LEONE Mario 

Societa Italiana Brevetti S.p.A. 
Piazza di Pietra 39 
00186 Roma 
ITALY 



Telephone No.: 

+39-06-695441 



Facsimile No.: 

+39-06-6955830 



Teleprinter No.: 



I I ™ rCS if for . corr *JI? 0 «; d «n«: > Mark this check-box where no agent or common representative is/has been appointed and th 
I — I space above is used instead to indicate a special addr ess to which correspondence should be sent. 



cspondc 

Box No. IV BASIS FOR INTERNATIONAL PRELIMINARY EXAMINATION 



Statement concerning amendments:* 

1 * 7 hC . applicant wisncs international preliminary examination to start on the basis of: 
the international application as originally filed 
the description as originally filed 

I 1 as amended under Article 34 

the claims | | as originally filed 

as amended under Article 1 9 (together with any accompanying statement) 
| | as amended under Article 34 

the drawings [^J as originally filed 

as amended under Article 34 

2 - (ZD Thc applicant wishes any amendment to the claims under Article 1 9 to be considered as reversed. 

I I Thc a PP»cant wishes the start of the international preliminary examination to be postponed until the expiration of 20 months 
from thc priority date unless thc International Preliminary Examining Authority receives a copy of any amendments made 
under Article 19 or a notice from the applicant that he docs not wish to make such amendments (Rule 69. 1 (d)). (This check- 
box may be marked only where the time limit under Article J 9 has not yet expired,) 
Where no check-box is marked, international preliminary examination will start on the basis of thc international application 
as on 8>na!Iy filed or, where a copy of amendments to thc claims under Article 1 9 and/or amendments of thc international application 
under Article 34 are received by the International Preliminary Examining Authority before it has begun to draw up a written opinion 
or the international preliminary examination report, as so amended. 



Language for the purposes of international preliminary examination: ENGLISH 
which is thc language in which thc international application was filed. 
{^\ which is thc language of a translation furnished for the purposes of international search 

□ 

which is thc language of publication of the international application. 
□ which is thc language ot thc translation (to be) furnished for thc purposes of international preliminary examination. 



Box No. V ELECTION OF STATES 



Thc applicant hereby elects nil eligible States (thatls. all States which have been designated and which are bound by Chapter II of 
the PQT) 

excluding the following States which thc applicant wishes not to elect: 



Form PCT/TPEA/401 (second sheet) (July 1993. reprint January 2000) 



See Notes to the demand form 



Sheet No. .7. 



International application No. 

PCT/IT99/00262 



Box No. VI CHECK LIST 



The demand is accompanied by the following elements, in the language referred to in 
Box No. fV, for the purposes of international preliminary examination: 



1 . translation of international application 

2. amendments under Article 34 

3. copy (or, where required, translation) of 
amendments under Article 19 

4. copy (or, where required, translation) of 
statement under Article 19 

5. letter 

6. other (specify) 



sheets 
sheets 

sheets 

sheets 
sheets 
sheets 



For International Preliminary 
Examining Authority use onlv 



received 

□ 
□ 

□ 

□ 
□ 
□ 



not received 

□ 
□ 

□ 

□ 
□ 
□ 



The demand is also accompanied by the itcm(s) marked below: 
1. 0 

fee calculation sheet 4. [ | statement explaining lack of signature 



2. | | separate signed power of attorney 

3. I | copy of general power of attorney; 

reference number, if any: 



5. I I nucleotide and or amino acid sequence listing in 

computer readable form 

6. | [ other (specify): 



Box No. Vn SIGNATURE OF APPLICANT, AGENT OR COMMON REPRESENTATIVE 



Next to each signature, indicate the name cf the person signing and the capacity in which the person signs ffsuch capacity is not obvious from reading the demand) 



LEONE 



i 



For International Preliminary Examining Authority use only 1 



I. Date of actual receipt of DEMAND: 



2. Adjusted date of receipt of demand due 
to CORRECTIONS under Rule 60.1(b): 



3 I I The date of receipt of the demand is AFTER the expiration of 19 months | 1 The applicant has I 

I 1 from the priority date and item 4 or 5, below, docs not apply. LJ informed accordin 



: been 
ngly. 



4 I I Thc dat e of receipt of the demand is WITHIN the period of 19 months from the priority date as extended by virtue of 
* I I Rule 80.5. 7 



5 I I Although the date of receipt of the demand is after the expiration of 19 months from the priority date the delay in arrival 
I 1 - is EXCUSED pursuant to Rule 82. 



For International Bureau use only 



Demand received from IPEA on: 



Form PCT/IPEA/40 I (last sheet) (July 1998; reprint January 2000) 



See Notes to the demand form 



PCT 

REQUEST 



The undersigned requests that the present 
international application be processed 
according to the Patent Cooperation Treaty. 



EL652176667US 

AO / rt o 5/1 0 

For receiving Office use only 



International Application No. 



International Filing Date 



Name of receiving Office and "PCT International Application" 



Applicant's or agent's file reference 

(if desired) (12 characters maximum) RM/X89340/PC 



Box No. I TITLE OF INVENTION 

Network access control device through fast recognition of application 
frames satisfying a set of predetermined rules 



Box No. II 



APPLICANT 



Name and address: (Family name followed by given name: for a legal entity, full official designation. 
The address must include postal code and name of country. The country of the address indicated in this 
Box is the applicant 's State (that is, country) of residence if no State of residence is indicated below.) 

ALAS! Dl ARCIERI FRANCO & C. s.a.s. 
Via Mario Chiri 25 
00171 Roma 
ITALY 



| | This person is also inventor. 



Telephone No. 



Facsimile No. 



Teleprinter No. 



State (that is, country) of nationality: 

fTALY 


State (that is, country 


) of residence: 
ITALY 


This person is applicant I | all designated ryi all designated States except 1 1 the United States 1 1 the States indicated in 

for the purposes of: 1 1 States L£J the United States of America | | of America only | | the Supplemental Box 


Box No. ffl FURTHER APPLICANT^) AND/OR (FURTHER) INVENTOR(S) 





Name and address: (Family name followed by given name; for a legal entity, full official designation. 
The address must include postal code and name of country. The country of the address indicated in thi~ 
Box is the applicants State (that is, country) of residence if no State of residence is indicated below.) 

ARCIERI Franco 
Via Mario Chiri 25 
00171 Roma 
ITALY 



State (that is.country) of nationality: 

ITALY 



This person is: 

| | applicant only 

|X[ applicant and inventor 

| | inventor only (If this check-box 
is marked, do not fdl in below.) 



State (that is, country) of residence: 

ITALY 



This person is applicant | I all designated | I all designated States except 
for the purposes of: I I States | | the United States of America 



"V] the United States I | the States indicated in 
ZZJ of America only | | the Supplemental Box 



XI Further applicants and/or (further) inventors are indicated on a continuation sheet. 



Box No. IV AGENT OR COMMON REPRESENTATIVE; OR ADDRESS FOR CORRESPONDENCE 



The person identified below is hereby/has been appointed to act on behalf 
of the applicant(s) before the competent International Authorities as: 



agent 



□ 



common representative 



Name and address: (F am ty name followed bv given name: for a legal entity, full official designation. 
The address must include postal code and name of country.) 



STEINFL Alessandro 
Society Italiana Brevetti S.p.A. 
Piazza di Pietra 39 
00186 Roma 
ITALY 



Telephone No. 

+39-06-695441 



Facsimile No. 

+39-06-69544830 



Teleprinter No. 



□ Adress for correspondence: Mark this check-box where no agent or common representative is/has been appointed and the 
space above is used instead to indicate a special address to which correspondence should be sent. 



Form PCT/RO/101 (first sheet) (July 1998: reprint July 1999) 



See Notes to the request form 



Sheet No. 



Continuation of Box No. Ill FURTHER APPLICANTS AND/OR (FURTHER) INVENTORS 


If none of the following sub-boxes is used, this sheet should not be included in the request. 


Name and address: (Family name followed by given name; for a legal entity, full official designation. 
The address must include postal code and name of country. The country of the address indicated in this 
Box is the applicant 's State (that is, country) of residence if no State of residence is indicated below.) 

MARINELLI Guido Maria 
Via Squillace 108 
00178 Roma 
ITALY 


This person is: 

| | applicant only 

|X| applicant and inventor 

| | inventor only (If this check-box 
is marked, do not fill in below.) 


State (that is, country) of nationality: 

ITALY 


State (that is, country) of residence: 
ITALY 


This person is applicant I I all designated | | all designated States except roi the United States I 1 the States indicated in 

for the purposes of: | | States [ | the United States of America I A | of America only | | the Supplemental Box 


Name and address: (Family name followed by given name; for a legal entity, full official designation, 
lite address must include postal code and name of country. The country of the address indicated in this 
Box is the applicant's State (that ir, country) of residence if no State of residence is indicated below.) 

TALAMO Maurizio 

Via Emanuele Filiberto 233 

00185 Roma 

ITALY 


This person is: 

| | applicant only 

| XI applicant and inventor 

| | inventor only (If this check-box 
is marked, do not fill in below.) 


State (that is, country) of nationality: 

ITALY 


State (that is, country) of residence: 
ITALY 


This person is applicant | | all designated | | all designated States except r^i the United States | 1 the States indicated in 

for the purposes of: | | States | | the United States of America 1 A 1 of America only I I the Supplemental Box 


Name and address: (Family name followed by given name; for a legal entity, full official designation, 
lite address must include postal code and name of country. The country of the address indicated in this 
Box is the applicant's State (that is, country) of residence if no State of residence is indicated below ) 


This person is: 

[ | applicant only 

| | applicant and inventor 

. 1 1 inventor only (If this check-box 
1 1 is marked, do not fill in below.) 


State (that is, country) of nationality: 


State (that is. country) of residence: 


This person is applicant I | all designated | | all designated States except | 1 the United States | 1 the States indicated in 

for the purposes of: 1 | States . | | the United States of America | | of America only | | the Supplemental Box 


Name and address: (Family name followed by given name; for a legal entity, full official designation. 
The address must include postal code and name of country. The country of the address indicated in this 
Box is the applicant 's State (that is, country) of residence if no State of residence is indicated below.) • 


This person is: 

| | applicant only 

| | applicant and inventor 

| | inventor only (If this check-box 
is marked, do not fill in below.) 


State (that is, country) of nationality: 


State (that is, country) of residence: 


This person is applicant 1 | all designated" | I all designated States except I 1 the United States I 1 the States indicated in 

for the purposes of: 1 | Slates | | the United States of America | | of America only | | the Supplemental Box 


| | Further applicants and/or (further) inventors are indicated on another continuation sheet. 



Form PCT/RO/101 (continuation sheet) (July 1998; reprint July 1999) See Notes to the request fc 



Sheet No. .3 . 



Box No.V 



DESIGNATION OF STATES 



The following designations are hereby made under Rule 4.9(a) (mark die applicable check-boxes; at hast one must be marked): 
Regional Patent 

H AP ARIPO Patent: GH Ghana, GM Gambia. KE Kenya, LS Lesotho, MW Malawi, SD Sudan, SL Sierra Leone, SZ Swaziland, 
UG Uganda, ZW Zimbabwe, and any other State which is a Contracting State of the Harare Protocol and of the PCT 

H EA Eurasian Patent: AM Armenia, AZ Azerbaijan, BY Belarus, KG Kyrgyzstan, KZ Kazakhstan, MD Republic of 
Moldova, RU Russian Federation, TJ Tajikistan, TM Turkmenistan, and any other State which is a Contracting State 
of the Eurasian Patent Convention and of the PCT 

H EP European Patent: AT Austria, BE Belgium, CH and LI Switzerland and Liechtenstein, CY Cyprus, DE Germany, 
DKDenmark, ES Spain, FI Finland, FR France, GB United Kingdom, GR Greece, IE Ireland, IT Italy, LU Luxembourg, 
MC Monaco, NL Netherlands, PT Portugal, SE Sweden, and any other State which is a Contracting State of the European 
Patent Convention and of the PCT 

0 OA OAPI Patent: BF Burkina Faso, BJ Benin, CF Centra! African Republic, CG Congo, CI Cote dTvoire, CM Cameroon, 
GA Gabon, GN Guinea, GW Guinea-Bissau, ML Mali, MR Mauritania, NE Niger, SN Senegal, TD Chad, TG Togo, and 
any other State which is a member State of OAPI and a Contracting State of the PCT (if odier kmd of 'protection or treatment 

desired, specify on dotted line) 

National Patent (if other kind of protection or treatment desired, specify on dotted line). 





A 1? 




A 1 


L&J 


AIV1 


171 
L£J 


AT 


fxl 


AIT 


[71 

LsJ 




171 


BA 


LS 


DD 
DD 


L&J 


Dvy 




DD 


171 


DV 
Xk X 


171 
L&J 




[71 

Lei 


CH 




CN 


[71 
L&J 


nr 


m 


CZ 


E 


DE 


iSZJ 


DK 


L&J 


EE 


IS 


ES 


El 


FI 


El 


GB 


m 


GD 


E 


GE 


E! 


GH 


0 


GM 


m 


HR 


EI 


HU 


H 


ID 


m 


IL 




IN 


H 


IS 




JP 


m 


KE 




KG 


m 


KP 


m 


KR 




KZ 




LC 




LK 



United Arab Emirates 

Albania 

Armenia 

Austria , 

Australia 

Azerbaijan 

Bosnia and Herzegovina 

Barbados 

Bulgaria 

Brazil 

Belarus 

Canada 

and LI Switzerland and Liechtenstein 

China 

Cuba 

Czech Republic 

Germany 

Denmark 

Estonia 

Spain 

Finland 

United Kingdom 
Grenada 

Georgia . , 

Ghana 

Gambia 

Croatia , 

Hungary 

Indonesia 

Israel 

India 

Iceland 

Japan 

Kenya 

Kyrgyzstan 

Democratic People's Republic of Korea 

Republic of Korea 

Kazakhstan 

Saint Lucia 
Sri Lanka 



E 

m 
m 
m 

E 
E 
B 

E 

m 

E 

H 

E 
E 
ED 
12 
E 
El 
E 
EI 

H 
EI 
El 
E 
E 
E 

H 
BO 
E 
E 
E 



LR Liberia 

LS Lesotho 

LT Lithuania 
LU Luxembourg 
LV Latvia 

MD Republic of Moldova 

MG Madagascar 

MK The former Yugoslav Republic of Macedonia 

MN Mongolia 

MW Malawi 

MX Mexico 

NO Norway 

NZ New Zealand 

PL Poland 

PT Portugal 

RO Romania 

RU Russian Federation 

SD Sudan 
SE Sweden 
SG Singapore 

SI Slovenia , 

SK Slovakia 

SL Sierra Leone 

TJ Tajikistan , 

TM Turkmenistan 

TR Turkey 

TT Trinidad and Tobago 

UA Ukraine 

UG Uganda 

US United States of America 



UZ 
VN 
YU 
ZA 
ZW 



Uzbekistan . , 
Viet Nam . . . 
Yugoslavia . 

South Africa . 

Zimbabwe . . 



Check-boxes reserved for designating States which have 
become party to the PCT after issuance of this sheet: 

50 



CR 
DM 



Costarica 
Dominica 



Precautionary Designation Statement: In addition to the designations made above, the applicant also makes under Rule 4.9(b) all other 
designations which would be permitted under the PCT except any designation(s) indicated in the Supplemental Box as being cxclucbd 
from the scope of this statement. The applicant declares that those additional designations are subject to confirmation and that any 
designation which is not confirmed before the expiration of 1 5 months from the priority date is to be regarded as withdrawn bythe applicant 
at the expiration of that time limit. (Confirmation of a designation consists of die filing of a notice specifying tliat designation a/id dxe payment of 
die designation and confirmation fees Confirmation must reach die receiving Office widiin the l5~mond\ time limit ) 



Form PCT/RO/101 (second sheet) (July 1999) 



See Notes to the request form 



Sheet No. . . . 4 . 



Supplemental Box If the Supplemental Box is not used, this sheet should not he included in the request. 



7. If. in any of the Boxes, the space is insufficient to furnish all the information: in such case, write "Continuation of Box No. ... " 
[indicate the number of the Box] and furnish the information in the same manner as required according to the captions of the Box in which 
the space was insufficient, in particular: 

(i) if more than two persons are in volved as applicants an d/or inventors and no "continuation sheet " is available: in such case, write 
"Con tinuation of Box No. Ill " and indicate for each additional person the same type of information as required in Box No. III. Tlie 
country of the address indicated in this Box is the applicant 's State (that is, country) of residence if no State of residence is indicated 
below; 

(ii) if in Box No. II or in any of the sub-boxes of Box No. Ill, the indication **the States indicated in the Supplemental Box" is checked: 
in such case, write "Continuation of Box No. II" or "Continuation of Box No. Ill" or "Continuation of Boxes No. II and No. Ill" 
(as the case may be), indicate the name of the applicants) involved and, next to (each) such name, the State(s) (and/or, where 
applicable. ARlPO, Eurasian, European or OAPI patent) for the purposes of which the named person is applicant; 

(Hi) if. in Box No. II or in any of the sub-boxes of Box No. Ill, the inventor or the inventor/applicant is not inventor for the purposes 
of all designated States or for the purposes of the United States of America: in such case, write "Continuation of Box No. II" or 
"Continuation of Box No. Ill" or "Continuation of Boxes No. II and No. Ill" (as the case may be), indicate the name of the 
inventor(s) and. next to (each) such name, the State(s) (and/or. where applicable. ARIPO. Eurasian, European or OAPI patent) for 
the purposes of which the named person is inventor; 

(iv) if. in addition to the agent(s) indicated in Box No. IV. there are further agents: in such case, write "Continuation of Box No. IV" 
and indicate for each further agent the same type of information as required in Box No. IV; 

(y) if in Box No. V. the name of any State (or OAPI) is accompanied by the indication "patent of addition. " or "certificate of addition. " 
or if in Box No. V. the name of the United States of America is accompanied by an indication "continuation " or "continuation- 
in-part ": in such case, write "Continuation of Box No. V" and the name of each State involved (or OAPI), and after the name of 
each such State (or OAPI), the number of the parent title or parent application and the date of grant of the parent title or filing 
of the parent application; 

(vi) if in Box No. VI, there are more than three earlier applications whose priority is claimed: in such case, write "Continuation of 
Box No. VI" and indicate for each additional earlier application the same type of information as required in Box No. VI; 

(vii) if in Box No. VI, the earlier application is an ARIPO application: in such case, write "Continuation of Box No. VI ", specify the 
number of the item corresponding to that earlier application and indicate at least one country party to the Paris Convention for 
the Protection of Industrial Property for which that earlier application was filed. 

2. If with regard to the precautionary designation statem ent contained in Box No. V, the applicant wishes to exclude any State(s) from 
the scope of that statement: in such case, write "Designations) excluded from precautionary designation statement " and indicate the 
name or two-letter code of each State so excluded. 

3. If the applicant claims, in respect of any designated Office, the benefits of provisions of the national law concerning non-prejudicial 
disclosures or exceptions to lack of novelty: in such case, write "Statement concerning non-prejudicial disclosures or exceptions to lack 
of novelty " and furnish that statement below. 



CONTINUATION OF BOX NO. 4 



ADORNO Silvano, AIMI Luciano, BARDINI Marco Luigi, BA2ZICHELLI Alfredo, BORRINI Stefano, 
CONCONE Emanuele, DE BENEDETTI Fabrizio, Dl CERBO Mario, IACOBELLI Daniele, LEONE Mario, 
MOSCONE BENVENUTI Francesca, PELLEGRI Alberto, PIZZOLI Antonio Maria, PI2ZOLI Pasquale, 
STRINI Giorgio, TONON Gilberto 



Societa Italiana Brevetti S.p.A. 
Piazza di Pietra 39 
00186 Roma 
Italy 



Form PCT/RO/101 (supplemental sheet) (July 1998; reprint July 1999) 



See Notes to the request form 



Sheet No. 



Box No. VI PRIORITY CLAIM 



I I Further priority claims are indicated in the Supplemental Box. 



Filing date 
of earlier application 
(day/month/year) 


Number 
of earl ier application 


Where earlier application is: 


national application: 
country 


regional application:* 
regional Office 


international application: 
receiving Office 


item(l) 

12 August 1998 


RM98A000542 


ITALY 






item (2) 










item (3) 











□ The receiving Office is requested to prepare and transmit to the International Bureau a certified copy 
of the earlier application(s) (only if the earlier application was filed with the Office which for the 

purposes of the present international application is the receiving Office) identified above as item(s): 

* Where the earlier application is an ARJPO application, it « mandatory to indicate in the Supplemental Box at least one country party to the Paris 
Convention for the Protection of Industrial Property for which that earlier application was filed (Rule 4.1 0(b) (ii)). See Supplemental Box. 



Box No. VII INTERNATIONAL SEARCHING AUTHORITY 
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No: Claims 1-12 

Industrial applicability (IA) Yes: Claims 1-12 
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Re Item V 

Reasoned statement under Article 35(2) with regard to novelty, inventive step or 
industrial applicability; citations and explanations supporting such statement 

1 . The document D1 was not cited in the international search report. 

D1 = P. Rolin, L. Toutain and S. Gombault, 'Network Security Probe', Proceedings 
of the 2nd ACM Conference on Computer and communications security, pages 229- 
240, November 2-4, 1994, Fairfax, VA USA; 
http://www.acm.Org/pubs/citations/proceedings/commsec/1 91 1 77/p229-rolin/ 

2. Reference is further made to the following document: 

D2 = EP-A-0 595 509 (LANNET DATA COMMUNICATIONS LTD) 4 May 1 994 
(1994-05-04) 



3. The subject-matter of Claim 1 of the present application cannot be considered 
as involving an inventive step (Article 33(3) PCT) for the following reasons. 

Document D1 , which is considered to represent the most relevant state of the art, 
discloses (according to the wording of present claim) the essential features of 
Claim 1 , a network access control device (page 232, right column, lines 7-8: "... a 
tool apart from the network routing components Figure 1: Security Analyser) 
through in series (page 233, right column, lines 21-24: "... upon their successive 
frames ...") deterministic recognition of application frames (page 232, right column, 
line 26: "NSP uses a passive taping (listener) method ...") satisfying a set of 
predetermined syntactical rules (Figure 2 Application column; page 233, right column, 
lines 21-24: "... upon their successive frames it can find elaborate information 
(application used, user name, page 233, right column, lines 45-47: "database of 
rules."; page 236, left column, lines 5-8: "a step in a transaction") which comprises: 
- means for monitoring and interpretation of the application frames to recognize 
(page 232, left column, lines 47-48: "Since the NSP listen all message it is perfectly 
suitable to audit communication." and page 231, left column, lines 15-16: "This 
provides an opportunity to make elaborate multilayer control."); 
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- means for storing predetermined syntactical rules (page 232, right column, line 35: 
"... database that contains the security policy ..." and page 233, right column, lines 
45-47: "... stored in a database of rules."); 

- means for interpreting the predetermined rules (page 236, left column, lines 7-8: 
"The security policy defines the sequences to protect." and page 232, left column, 
last line- right column, line 2: "It should be easy to plug an audit interpreter module 
that looks for aggressions ...") 

whereby the recognition is able be performed on any frame component (page 233, 
right column, lines 12-14: "To be operational NSP needs only access to all the 
messages (Frames, packets, ...) that transit within the network."), 
which further comprises forwarding means, for forwarding the application frame when 
recognized (as the "Network security probe (NSP)" in D1 runs in parallel to the 
communication on the LAN a forwarding is not necessary as the frame passes 
automatically; nevertheless the NSP would forward or allow forwarding the frames 
if attached to a proxy server or firewall as e.g. D2, column 2, lines 48-53) and return 
to sender means, for returning of the application frame when not recognized (page 
235, left column, lines 7-20: "... send a frame within a connection established by any 
other station."). 

The subject-matter of Claim 1 differs therefrom only in that the rules are compiled 
in a direct access data structure, which is stored and compared to the application 
frames which are recognized with said direct access data structure and the direct 
access data structure allows an access time substantially independent from the 
number of rules. 

The problem to be solved by the present invention may therefore be regarded as 
how to improve the processing speed of a rule based analysing- system. 

No positive contribution to inventive step can be seen in formulating this particular 
problem, because the need for quicker processing is essential for scaling applications 
to wider use. 

The solution proposed in Claim 1 of the present application cannot be considered 
as involving an inventive step (Article 33(3) PCT) for the following reasons. 
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Claim 1 represents an obvious and consequently not inventive combination of 
features, as it is well known to the person skilled in the art, that compiling a code and 
executing it is quicker than interpreting the code. Therefore, the subject-matter of 
Claim 1 consists merely in the juxtaposition or association of known features (the 
protocol analyser and a compiler to achieve faster processing than an interpreter) 
functioning in their normal way and not producing any non-obvious working inter- 
relationship. The combined features do not mutually support each other in their 
effects to such an extent that a new technical result is achieved. 

Claim 1 is therefore not inventive. 

4. Dependent Claims 2-12 do not contain any features which, in combination with the 
features of any claim to which they refer, meet the requirements of the PCT (Article 
33(3)) in respect of an inventive step, the reasons being as follows: 

A person skilled in the art is aware of the following features which can be combined 
with the features of Claim 1 without producing a surprising effect: 

a. Converting rules into identifiers and compressing them (Claim 2) is commonly 
known. 

b. The returned application frame contains the reason of the failed forwarding 
(Claim 3) is a standard error handling technique. 

c. Rules are stores as objects (Claim 4) or pairs of data types (Claim 5) and 
combined with actions (Claim 7) is the general method for dealing with software data 
structures. 

d. Joker values (Claim 6) are commonly used to define default behaviour. 

e. A matricial structure for data (Claim 8) is also commonly employed to reduce 
storage size. 

f. The details of a control unit as in Claim 9 is shown in D1 , Figure 4. 

g. Ordering of frames (Claim 9) to find the logical sequence of instructions (Claim 
10) is known from D1, page 236, left column, lines 6-7. 

h. The control device is installed within the client machine (Claim 12) is also known 
from D1 (page 231, left column, lines 2-3). 
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Furthermore, in both types of devices of the known art there is the 
disadvantage that the recognition of the communication frames cannot be based on 
any frame component, but exclusively on frames an a non-application layer. 

P. Rolin, L. Toutain and S. Gombault, 'Network Security Probe' discloses a 
device that provide a security service in a network environment that don't interject 
the security services into the operational sequences, rather, the security services are 
established as a parallel set of services. The major disadvantage of such a device is 
that use an optimistic approach: the device let pass all communications and checks in 
parallel for authorization, illegal communications will be stopped later. Another 
disadvantage is that the recognition is performed by a "pattern matching" method. 
This kind of methods are not error-free because are based on the comparison of the 
parts of the dialog with rules and patterns listed in a database and decided by security 
officers. Furthermore the performance of the security system depend both on the 
number of the rules to compare and on the their complexity, then is not possible to 
completely eliminate the risk that an illegal communication pass on the network. 

The present invention overcomes such disadvantages of the prior art, as it 
provides a network access control device through in series deterministic recognition 
of application frames satisfying a set of predetermined syntactical rules comprising: 

- means for monitoring and interpretation of the application frames to recognize; 

- means for storing predetermined syntactical rules; 

means for compiling the predetermined syntactical rules in a direct access data 
structure; 

- means for storing said direct access data structure; and 

- means for comparing the application frames to be recognized with said direct 
access data structure, 

whereby the recognition can be performed on any frame component and the direct 
access data structure allows an access time substantially independent from the 
number of rules, 

characterized in that it further comprises forwarding means, for forwarding the 
application frame when recognized and retum-to-sender means, for returning of the 
application frame when not recognized. 

Preferably, the means for monitoring and interpretation of the application 
frames comprise: 

a) a data packets monitoring device at a layer corresponding to the OSI layer 
2, said data packets comprising control frames and information frames, wherein the 
control and information frames contain a header portion and a body portion, said 
header portion allowing the distinction between an information frame and a control* 
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frame; 

b) a control unit receiving as an input the data coming fiom the monitoring 
device and comprising means for the discrimination of the control frames from the 
information frames; 

5 c) a dating unit connected to the control unit and associating a monitoring 

time to the control frames and to the information frames; 

d) a discriminated data storing unit, storing the control and the information 
frames and the monitoring time thereof, bidirectionaily connected to the control unit; 

e) a predetermined data storing unit, bidirectionaily connected to Lhe control 
io unit, said predetermined data representing possible interpretations of the information 

frames contained in the discriminated data storing unit; 

f) means for comparing, by the control unit, said predetermined data stored in 
the storing unit with the data contained in the body portion of the 
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CLAIMS 

1. A network access control device through in series deterministic recognition 
of application frames satisfying a set of predetermined syntactical rules comprising: 

- means (205) for monitoring and interpretation of the application frames to 
5 recognize; 

- means (20 1) for storing predetermined syntactical rules; 

- means (202) for compiling the predetermined syntactical rules in a direct access 
data structure; 

- means (203)for storing said direct access data structure; and 

io - means (204) for comparing the application frames to be recognized with said 
direct access data structure, 
whereby the recognition can be performed on any frame component and the direct 
access data structure allows an access time substantially independent from the 
number of rules, 

15 characterized in that it further comprises forwarding means, for forwarding the 
application frame when recognized and return-to-sender means, for returning of the 
application frame when not recognized. 

2- The access control device according to claim 1, characterized in that said 
compiling means (202) of the predetermined syntactical rules comprise; 

- conversion means, for converting the predetermined syntactical rules in a set of 
basic sequences of numerical identifiers; and 

- compression means, for compressing the set of sequences thus obtained in a 
direct access data structure. " 

3. The access control device according to claim 1 or 2, characterized in that 
said retum-to-sender means, for returning the application frames when not 
recognized, return information related to the reason of the failed forwarding. 

4. The access control device according to any of the preceding claims, 
characterized in that the predetermined syntactical rules are stored as pairs of 
<object>/<action> fields. 

5* The access control device according to claim 4, characterized in that ihe 
35 predetermined syntactical rules are stored as pairs of <data type>/<data value> fields. 



20 
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6. The access control device according to claim 4 or 5, characterized in that 
the pre determined syntactical rules include one or more joker values. 

7. The network access monitoring device according to claim 4, characterized 
in that the field <action> refers to the minimal set of commands 

-Push 

<value> 

<variable> 

<reading position> 

<value at the reading position> 

- Pop 
<variable> 
<reading position> 

<at the reading position> 
-And 

- Mul 
-Add 

- Equal 

- Next 

- F_send_all 

- F_dynamic. 

8. The access control device according to claims 2 and 4, characterized in that 
the direct access data structure is represented through a matricial structure 
comprising object fields and action fields. 

9. The access control device according to any of the preceding claims, 
characterized in that the means (205) for monitoring and interpretation of the 
application frames comprise: 

a) a data packets monitoring device (9) at a layer corresponding to the OS! 
layer 2, said data packets comprising control frames and information frames, wherein 
the control and information frames contain a header portion and a body portion* said 
header portion allowing the distinction between an information frame and a control 
frame; 

b) a control unit (15) receiving as an input the data coming from the 
monitoring device (9) and comprising means for the discrimination of the control 
frames from the information frames; 
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c) a dating unit (16) connected to the control unit (15) and associating a 
monitoring time to the control frames and to the information frames; 

d) a discriminated data storing unit (17), storing the control and the 
information frames and the monitoring time thereof, bidirectionally connected to the 

5 control unit (15); 

e) a predetermined data storing unit (18), bidirectionally connected to the 
control unit (15), said predetermined data representing possible interpretations of the 
information frames contained in the discriminated data storing unit (17); 

f) means for comparing, by the control unit (1 5), said predetermined data 
10 stored in the storing unit (18) with the data contained in the body portion of the 

information frames stored in the discriminated data storing unit (17), thus 
reconstructing the information frames according to their specific application syntax; 

g) means for ordering, according to the time and kind of communication, 
the information frames reconstructed according to their specific application syntax, 

15 thus reconstructing application sequences occurred between a determined source 
processor and a determined destination processor; and 

h) means for ordering said information frames ordered according to the 
time and kind of communication also according to a logical criterion, thus 
reconstructing the logical path of said application sequences occurred between a 

20 determined source processor and a determined destination processor- 

10. The access control device according to claim 9, characterized in that said 
means for ordering said information frames according to a logical criterion comprise 
means for reciprocally comparing the body portion of the information frames. 

25 

11. The access control device according to claim 9, characterized in that said 
means for ordering said information frames according to a logical criterion comprise 
means for comparing each sequence of body portions of the information frames with 
a set of predetermined sequences 9 said predetermined sequences representing 

30 possible interpretations of the information frames- sequences contained in the 
discriminated data storing unit (17), said predetermined sequences being contained in 
said predetermined data storing unit (18). 

12. The access control device according to any of the preceding claims, 
35 characterized in that it is implemented using a board installed on the processor on 

which the client applications operate. 
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NETWORK ACCESS CONTROL DEVICE THROUGH FAST RECOGNITION OF APPLICATION FRAMES 

5 DESCRIPTION 

The present invention provides a network access control device 
through fast recognition of application frames satisfying a set of predetermined rules. 

In particular, the device according to the invention allows both 
monitoring and interpretation of application protocols for network data transmission 
1 0 systems and the comparison with a set of control patterns of every monitored and 
interpreted communication frame. If a frame is recognized, the device allows access 
to the service. If the frame is not recognized, the device denies access to the service. 

In the present description, for "pattern" (or access rule) the recognition 
statement of a particular communication frame will be intended. 
15 Preferably, such statement will be intended as a set of <data 

type>/<data value> pairs assumed by the fields inside the communication frame. The 
<data type>/<data value> pairs are specified according to the various communication 
layers inside the communication frame concerning both the control and the 
information portion. In the present description, by way of example, communication 
2 0 frames of the HTTP (Internet browsing services) kind will be illustrated. 

Network access control devices are known and can be divided into 
two large categories: 

1) In a first category, the various access rules are represented by means of 
multidimensional matrices represented in a non-compressed form, using simple 

2 5 languages to access said matrices. The disadvantage of such a representation is given 

by the high memory occupation: a 10-dimensional matrix with 100 elements per 
dimension has a memory occupation of 1 00 1 0. 

2) In a second category, the various access rules are represented by means of 
multidimensional matrices represented in a compressed form. The access to said 

30 matrices is not of a direct type. Such a manner has the disadvantage of requiring the 
use of high level languages, which determine the particular procedure to be activated 
in response to the recognition of an access rule by means of test and comparison 
operators. The particular control structures thus used burden the interpretation 
process, making it inefficient. However, the realization of generalised methods for 

3 5 information structure recognition on fast technologies (firmware) proves to be 

difficult, if not altogether impossible. 
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Furthermore, in both types of devices of the known art there is the 
disadvantage that the recognition of the communication frames cannot be based on 
any frame component, but exclusively on frames at a non-application layer. 

The present invention overcomes such disadvantages of the prior art, 
5 as it provides a network access control device through deterministic recognition of 
application frames satisfying a set of predetermined rules comprising: 

- means for monitoring and interpretation of the application frames to 
recognize; 

- means for storing predetermined rules; 

10 - means for compiling the predetermined rules in a direct access data 

structure; 

- means for storing said direct access data structure; and 

- means for comparing the application frames to be recognized with said 
direct access data structure, 

1 5 wherein the recognition is able to be performed on any frame component and 

the direct access data structure allows an access time substantially independent from 
the number of rules. 

Preferably, the means for monitoring and interpretation of the application 
frames comprise: 

20 a) a data packets monitoring device at a layer corresponding to the OSI layer 

2, said data packets comprising control frames and information frames, wherein the 
control and information frames contain a header portion and a body portion, said 
header portion allowing the distinction between an information frame and a control 
frame; 

25 b) a control unit receiving as an input the data coming from the monitoring 

device and comprising means for the discrimination of the control frames from the 

information frames; 

c) a dating unit connected to the control unit and associating a monitoring 

time to the control frames and to the information frames; 
30 d) a discriminated data storing unit, storing the control and the information 

frames and the monitoring time thereof, bidirectionally connected to the control unit; 
e) a predetermined data storing unit, bidirectionally connected to the control 

unit, said predetermined data representing possible interpretations of the information 

frames contained in the discriminated data storing unit; 
35 f) means for comparing, by the control unit, said predetermined data 

stored in the storing unit with the data contained in the body portion of the 
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information frames stored in the discriminated data storing unit, thus reconstructing 
the information frames according to their specific application syntax; 

g) means for ordering, according to the time and kind of communication, 
the information frames reconstructed according to their specific application syntax, 

5 thus reconstructing application sequences occurred between a determined source 
processor and a determined destination processor; and 

h) means for ordering said information frames ordered according to the 
time and kind of communication also according to a logical criterion, thus 
reconstructing the logical path of said application sequences occurred between a 

1 0 determined source processor and a determined destination processor. 

As it is known, a direct network access data structure allows the access to the 
i-th element without necessarily having to access to the preceding elements, as it 
occurs instead with sequential access data structures. Known examples of direct 
access data structures are vectors, matrices, correspondence tables, a memory of a 

1 5 processor etc. 

A first advantage of the access control device according to the present 
invention is given by the flexibility wherewith a recognition pattern can be realized. 
In fact, by virtue of the use of the apparatus for monitoring and interpretation of 
application protocols, described in detail herebelow, the recognition of the 
2 0 communication frames can be based on any of the components of the frame, both on 
the control portion and on the information portion. Therefore, a recognition pattern 
can be realized (and therefore the access can be restricted) based on the contents of 
the exchanged information between client and server and not only based on the used 
network addresses and services. 

2 5 A second advantage of the device according to the present invention is 

, given by its capability to manage a very high number of patterns (in the order of 
millions) without any decay in the performances. 

In fact, in a context where a high number of users, servers and 
application services on the same servers is involved, when it is desirable to directly 
30 manage (or to control and document) the accessibility of each user to the single 
server and to the application service thereby provided, the pattern number grows 
quadratically. For instance, given 1000 users on the territory and 100 servers of 
which it is desirable to manage and control the accesses, 1000*100=100.000 patterns 
are generated. This number further increases when it is desirable to manage and/or 

3 5 control the access to the application for each single server, the pattern number 
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growing to the order of the millions in the actual cases on of middle/big-dimensioned 
structures. 

Such a pattern number is by all means acceptable for the device of the 
present invention. 

5 In fact, the recognition of the acquired communication frames is based 

on a deterministic access algorithm (hence neither heuristic nor probabilistic) 
ensuring an access time that is constant and independent (under any input) from the 
pattern number. 

Then the access control device performs for each correctly recognized 
10 frame the coordinating operation associated to recognition. As an example, once the 
recognition has occurred, the device will activate a TCP/IP layer (or layers 
corresponding to other protocols) communication with the server application 
individuated as result of the recognition, even a partial one, of the information 
component of the access frame, providing as parameters part of the already 
15 recognized or yet unprocessed information component. The sending modes 
(parameter sending format, number of parameters to send, application to activate, 
etc.) are associated to the recognition action and are therefore stored in the patterns. 

The access control device according to the present invention can be 
configured to operate both in positive logic and in negative logic. 
20 In positive logic, all the frames that meet the recognition patterns will 

be considered as accepted and therefore brought to destination or are subjected to a 
coordinating, control and/or documentation action. 

In negative logic, all the frames that do not meet the recognition 
patterns will be considered as accepted and therefore brought to destination or shall 
25 be subjected to a coordinating, control and/or documentation action. All the 
recognized frames will not be brought to destination or shall not be subjected to a 
coordinating, control and/or documentation action. 

The present invention will be illustrated herebelow by referring to a 
preferred embodiment thereof, explained by way of a non-limiting example. 
3 0 Reference to figures of the annexed drawings will be made, wherein: 

figure 1 shows a schematic diagram of the OSI standard; 
figure 2 shows a schematic view of the type of data used on 
communication networks; 

figure 3 shows a schematic view of the type of data used on 
3 5 communication networks with reference to the TCP/IP protocol ; 
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figure 4 shows a block diagram of the apparatus for monitoring and 
interpretation belonging to the access control device according to the present 
invention; 

figure 5 shows a flow chart explaining the operation of the component 

5 in figure 4; 

figures 6 and 7 show additional flow charts for the understanding of 
what disclosed with reference to figure 5; 

figures 8A and 8B show an example of application tree containing 
statistic information obtained by means of the component in figure 4; 
1 0 figure 9 shows a block diagram of the access control device according 

to the present invention; 

figures 10A and 10B show examples of the logical correspondence 
between bipartite graph and bidimensional matrix; 

figure 1 1 contains an example of specification of predetermined rules; 

15 and 

figure 12 shows a matricial representation of sequences of numerical 

identificators. 

Data transmission from a source device to a destination device can 
occur in different manners. However, to ensure a data exchange having the lowest 
2 0 possible chance of errors it is necessary to adopt a series of rules or control 
procedures. Said rules or procedures are known as "communication protocols". 

A well known communication protocol is the "Open System 
Interconnection" (OSI) of the International Standards Organization (ISO). Said 
protocol is divided into seven layers, shown in figure 1 . Layer 7 (application) on the 

2 5 source side contains information related to the sole message (M) to be sent to the 

destination side. The successive layers on the source side add control information to 
the message: layer 6 (presentation) divides the data of the original message into 
blocks (Ml and M2); layer 5 (session) adds a title (S) to indicate the sender, the 
receiver and some information related to the sequence; layer 4 (transport) adds 

3 0 information (T) related to the logic connection between the sender and the receiver; 

layer 3 (network) adds information related to the path (N) and divides the message 
into packets representing the standard communication unit in a network; layer 2 (data 
link) adds a title portion (B) and a tail portion (E) to the message to ensure the 
correct order of the various packets and to correct transmission errors; the single 
3 5 message bits and control information bits added by the various layers are transmitted 
on the physical medium through layer 1. The downward pointing arrow Fl on the 
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sender side indicates the manner according to which the outgoing message is 
constructed. Every addition to the message is verified and removed from the 
corresponding layer on the destination side. The upward pointing arrow F2 on the 
destination side indicates the manner according to which the incoming message is 
5 reconstructed. 

With reference to the OSI standard, the communication unit in a 
network is the packet. Packets are in turn divided into frames. The beginning and the 
end of each frame are usually determined by delimitation characters. The frames are 
in turn divided into information and control frames. The information frames transport 

10 the data relative to the message that is to be transmitted throughout the network, 
while the control frames deal with the regulating modes of said transport, i.e. the 
flow control and the starting of the error recovery actions. Both the information and 
the control frames contain a header portion identifying the frame type and a body 
portion which is typical of the frame itself 

15 The information frame structure will be described with reference to 

figure 2. In the upper portion of said figure, the generic structure of a OSI layer 2 
packet is schematically described, thus comprising both information frames 1 and 
control frames 2. A single information frame (OSI layer 3) is constituted by a header 
portion 3, containing the identification that the frame is an information frame, and by 

20 a body portion 4. The body portion (OSI layers 4-7) contains the real message 5, 
together with a plurality of fields 6, typical of the particular application syntax used, 
illustrated by way of example in the figure with the characters CI, C2 and C3. The 
application syntax is the information relative to the number of fields contained within 
the plurality 6, to the meaning of each of said fields and to the data contained therein. 

25 The OSI model schematically described up to this point is just a 

conceptual model. A typical protocol normally adopted is for example the TCP/IP 
(Transmission Control Protocol and Internet Protocol). Said protocol, just like other 
communication protocols adopted, can be explained with reference to the layers 
structure of the OSI model. In fact, in each of said protocols, a certain source layer 

30 will divide the data it receives from an upper layer adding to said data a header 
and/or a tail and will forward all this to a lower layer. On the destination side the 
opposite operations will occur. 

With reference to the following figure 3, a schematic view is shown of 
the type of data used on local communication networks with reference to the TCP/IP 

35 protocol carrying the HTTP application service (Internet browsing). 

The Ethernet Layer substantially includes four kinds of fields: 
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- a destination network card address field 101; 

- a source network card address field 102; 

- a communication protocol field 103, in this case indicative of the carried IP 
protocol and of the length of the information portion; and 

5 - an information field 104, i.e. containing the Ethernet layer data, i.e. the 

entire structure of the carried IP protocol. 

The IP Layer (encapsulated in the Ethernet layer) substantially includes six 
types of fields: 

- a series of control fields 105 identifying the version, the length, the 
1 0 transmission options, the filler etc.; 

- a communication protocol field 106, in this case indicative of the TCP 
protocol; 

- an IP destination address field 107, i.e. of the IP address of the packet 
receiver; 

15 - an IP source address field 108, i.e. of the IP address of the packet sender; 

and 

- an information field 109, i.e. containing all the IP layer data, i.e. the entire 
structure of the carried TCP protocol. 

The TCP layer (encapsulated in the IP layer) includes four types of fields: 
2 0 - a source port field 110, indicating the TCP service port used by the packet 

sender; 

- a destination port field 111, indicating the TCP service port used by the 
packet receiver; 

- a series of control fields 112 identifying the packet ID, the working window, 

2 5 the crc, various options etc.; and 

- an information field 113, i.e. containing the TCP layer data, i.e. the entire 
structure of the carried HTTP application service, i.e. the HTTP language commands 
and, in its information part, the HTML language commands. 

Monitoring systems for the data transmitted between a sender node 

3 0 and a destination node are already known. However, said systems can only analyze 

the OSI layers 2 (data link) and 3 (network). The monitoring and the successive 
interpretation of the data at said layers allow only the monitoring of anomalies in the 
exchange protocol among the various components of a network data transmission 
system. 
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Therefore, a typical disadvantage of said prior art systems is their 
incapability of decoding the application piece of information transported on the 
network, i.e. the piece of information related to the layers 4-7 of the OSI standard. 

In the following figures 4 to 8B, the structure and the operation of an 
5 apparatus for monitoring and interpretation of application protocols will be described 
in detail. 

Reference will now be made to figure 4, showing a block diagram of 
the apparatus. First of all, in said figure a source node 7 and a destination node 8 are 
shown, terminals of the network portion in which the data are monitored and 

10 interpreted. Throughout the connection between said two nodes, schematically 
illustrated by arrows F3, F4, F5, F6 and by the transmission medium 23, data relative 
to plural communications between a first set of source processors (not shown in the 
figure) upstream of the source node 7 and a second set of destination processors (not 
shown in the figure) downstream of the destination node 8 travel bidirectionally. 

15 Said data are monitored by means of a data monitoring device 9. 

Several are the monitoring devices known on the market; for instance, concerning 
networks based on Ethernet technology, the Fast Etherlink XL™ card produced by 
the company 3Com™ can be mentioned. As for networks based on X.25 technology, 
e.g. the S508 card produced by the Canadian company Sangoma™ can be 

20 mentioned. Such card can operate with different OSI layer 1 (physical layer) 
standards such as, for example the RS232 (or V.24) standard and the RS422 (or 
V.35) standard. The OSI layer 2 (data link) standards together with said card can 
operate are, for instance, the HDLC standard, or the X.25 standard, contained 
therein. Anyway, the kind of data monitoring device 9 to be selected for the purposes 

25 of the present invention can vary depending on which OSI layers 1 or 2 standards 
one needs to operate. In fact, it will be possible to use monitoring devices working 
with implementation standards different from the OSI layer 2, such as for example 
"Frame Relay" or SDLC or also BSC and the like. Said devices are well known to 
the person skilled in the art and will not be here described in detail. 

30 The monitoring occurs "transparently" by means of two parallel 

connectors 10 and 11, schematically illustrated in the figure, allowing the monitoring 
of the data coming respectively from the source node 7 and from the destination node 
8. The monitoring device 9, shown by the dashed block in the figure, includes a 
source data receiver 12, a destination data receiver 13 and a connection interface 14. 

35 The source data receiver 12 allows the reception of the data coming from the source 
node 7 only, as it is schematically indicated with the arrow F7; on the other hand, the 
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destination data receiver 1 3 allows the reception of the data coming from destination 
node 8 only as schematically indicated with the arrow F8. The data received in this 
manner are transmitted to the connection interface 14, as it is indicated by the arrows 
F9 andFlO. 

Each data packet situated at a layer corresponding to the OSI layer 2 
read by the monitoring unit 9 is forwarded to a control unit 15, as indicated by arrow 
Fl 1. The control unit 15 will be described in detail later. To each of said packets a 
reading time is associated by means of a dating unit 16, represented outside the 
control unit 15 for ease of description and therewith connected as indicated by arrow 
F12. Such dating unit 16 can be any absolute time device on the market, in particular 
a radio or a satellite one. In a preferred embodiment of the present invention a radio 
controlled digital clock adjusted on the GET (Central European Time) broadcast by 
geostationary satellite was used. 

Further to the association of the reading time by means of the dating 
unit 16, the control unit 15 discriminates the single frame so as to reconstruct the 
right logic/temporal forwarding sequence of the frames that, as it is known, does not 
always coincide with the received sequence: in fact, due to the routing techniques on 
telecommunications networks, it is possible for a forwarded sequence of the "ABC" 
type to be received in each of its possible permutations, i.e. "ABC", "ACB", "BAC'\ 
"BCA", "CAB", "CBA". Therefore, the control unit 15 discriminates the information 
frames from the control frames. For example, if transmission of the information 
occurs in the HDLC format, the last bit of the header portion of the information 
frame is 0 whereas the last bit of the header portion of a control frame is L 
Therefore, inside the control unit 15 there are means, not described in the figure, 
discriminating said last bit, e.g. a firmware contained in a ROM. In any case, no 
matter which data transmission code is used, the modes discriminating a control 
frame from a information frames will always be known. Therefore, it will always be 
possible to provide means for said discrimination. Such discrimination thus allows 
the storage of the single information frame deprived of the header portion and 
comprising the body portion only, thus containing the information which is typical of 
the particular application syntax used, together with the message to be transmitted. 

The data incorporating the monitoring time and divided into 
information frames and control frames are stored inside a discriminated data storing 
unit 17, bidirectionally connected to the control unit 15 as indicated by arrow F13. 
There is also a predetermined data storing unit 18, bidirectionally connected to the 
control unit 15. Said predetermined data represent possible interpretations of the 
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information or control frames contained in the discriminated data storing unit 17. 
Their use will be explained herebelow with reference to the following figures. The 
connection between the predetermined data storing unit 18 and the control unit 15 is 
indicated by arrow F14. 
5 Reference will now be made to figure 5, showing a flow chart 

indicating the operations executed by the control unit 15 on the information frames 
stored in the discriminated data storing unit 17. The access to such information frame 
is intended to be selectively regulated by authorizations and privileges management 
systems such as passwords, encryption and decryption codes, badge readers and the 

1 0 like given to qualified users. 

A first step SI indicates the reading of the various packets by the 
monitoring unit 3. A second step S2 indicates the previously described 
discrimination operated by the control unit 15 between the information frames and 
the control frames, together with the association of the monitoring time. 

15 On the non-application low layer control frames, whose use is 

marginal for the purposes of the present invention, a statistic processing might also 
be provided, operated in the step S3. Said processing is not described in detail at the 
moment; the modes by which it occurs will turn out to be clear at the end of the 
present description. The final result of such processing will provide a list of the 

2 0 control frames, reporting also the number of occurrences for each of said frames. 

As for the information frames, the flow proceeds to a step S4 in which 
the single information frames are reconstructed according to their specific 
application syntax. To the purposes of said reconstruction, the application syntax 
structures of the single information frames must be known. In fact, they are 

2 5 contained inside the predetermined data storing unit 1 8 described with reference to 
the previous figure 3. Said unit 18 contains, for example in a text file, a formal 
abstract description for possible interpretations of the information or control frames. 
Said data represent the modes according to which the body portion of a single 
information frame can be structured, for example the machine transmission code (i.e. 

30 related to an information frame forwarded by the source or the destination), the 
number of the channel (i.e. related to a specific processor upstream of the source 
node or to a specific processor downstream of the destination node), protocol 
numbers, data processing numbers etc. Said unit 1 8 can of course contain the syntax 
of several application protocols of the information frames that are to be reconstructed 

35 in that moment. 
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A reconstruction of the information frames one by one is obtained by 
a sequential comparison of the body portion of each information frame with each one 
of the abstract models in the unit 18. 

Further to this, the different application sequences occurred between a 
5 determined source processor and a determined destination processor can be 
reconstructed, i.e. ordered according to time and kind of communication. Throughout 
the present description, for application sequence will be intended the whole of the 
information frames exchanged between a determined source processor and a 
determined destination processor during a single communication. The application 
10 sequence ordered in step S5 will contain the single information frames ordered 
according to a time criterion only and not also to a logic one. Ordering by time will 
be possible through the time association occurred in the previous step S2. 

To give also a logical ordering of the data inside a specific application 
sequence, the presence of a group of application rules directing the data exchange 
15 between source and destination can be useful, although not necessary. Said 
application rules, typical of the particular kind of conversation between a determined 
source processor and a determined destination processor, must be predetermined and 
as such, they as well are collected in the predetermined data storing unit 18. Said 1 
application rules are a series of possible interpretations of the information frames 
2 0 sequences contained in the discriminated data storing unit 17. 

An example of such application rules is given by table 1 herebelow, 
wherein reference is made to a communication between a source representing a 
student (client) wanting to enroll to university via terminal, and a destination (server) 
representing the university where the student wants to enroll. 

25 TABLE 1 

1: AS ? FDB 15 AS ? FDB 5 AS ? FDB 0 

The enrollment booking was regularly acquired 

2: AS ? FDB 13 AS? FDB 0 

The client position is not regular 



Every row of said table is an application rule, indicating i.e. a possible 
data exchange application sequence between source and destination. The meaning of 
each application sequence is illustrated herebelow. For example, the first row 
indicates the following sequence of information frames: 
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- the source (AS) interrogates (?) the destination; 

- the destination (FDB) answers with the activity number 15; 

- the source (AS) interrogates (?) again the destination; 

- the destination (FDB) answers with the activity number 
5 - the source (AS) interrogates (?) the destination; and 

- the destination (FDB) answers with the activity number 0. 

The result obtained at the end of this conversation is that the booking 
for the university enrollment is regularly acquired. 

The structure of Table 1 is a mere example and it could also be 
10 illustrated with a tree structure having a number of branches depending on the 
number of application sequences provided. Every path down to one of the tree leaves 
would illustrate a particular application sequence, i.e. a particular conversation 
between source and destination, i.e. a particular information frame sequence between 
source and destination. 

1 5 The number of application rules can be anyone. The larger the number 

of application rules provided, the bigger the chance to associate each of the 
application sequences temporally reconstructed in the step S5 with a well defined 
logic meaning, found by comparison with a particular application rule contained in 
the predetermined data storing unit 18 in figure 3. Therefore, in this manner it will be 

20 possible to verify the correctness or the anomaly of the particular application 
sequence that is being compared in that moment. 

In the step S6 in figure 5 the control unit 15 verifies first of all 
whether such application rules be available or less. Supposing that said application 
rules are known, the flow can proceed either toward a step S8 or toward a step S9, 

25 depending on what was chosen in the step S7. The step S8 allows a simple 
classification of the application sequences. In fact, each application sequence is 
classified as belonging to a particular path among the various possible paths inside 
the application rules tree. The step S8 will be explained in greater detail with 
reference to the following figure 6. 

30 On the other hand, in the step S9 the logical path of all the application 

sequences monitored by the apparatus in a predetermined time interval is 
reconstructed. Said step S9 will be described in greater detail with reference to the 
following figure 7. 

The apparatus according to the present invention allows a 

3 5 reconstruction of the logical path of the application sequences also if a series of 
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application rules is not provided. In this event, the flow proceeds to a step S10, that 
will also be described later. 

Reference will now be made to figure 6, which provides a more 
detailed explanation of what previously described with reference to step S8 of figure 
5 5. In a first step Sll the single application sequence, object of the comparison, is 
selected. In a successive step SI 2, the elements which are characterizing for 
comparison purposes are selected inside the selected application sequence. 

In the example of the enrollment to university previously described in 
table 1 said characterizing elements might be: the identification number of the source 

10 processor, the identification number of the user who required the enrollment 
operation, the data provided by the source and the data provided by the destination. 

In the step SI 3 the characterizing elements of the considered 
application sequence are compared with one of the application rules of the above 
described table 1 searching for a possible correspondence. If such a correspondence 

15 is found, the flow proceeds to a step S14 wherein said correspondence is reported 
and will have to be taken into consideration in the results of the interpretation. Then 
the flow selects another sequence and executes again the step S1L If the 
correspondence at the step S13 is not found, the control unit 15 goes in step SI 5 to a 
subsequent rule and if (step SI 6) there are still rules allowing a comparison the 

20 control unit executes once again the comparison of step S 13. If no further rules are 
found, the control unit reports an anomaly in the step SI 7. Such an anomaly might 
alternatively mean: 

- either a kind of sequence which should not have occurred (a real anomaly); 

or 

25 - a kind of sequence not inserted by mistake inside the application rules tree. 

In each of said events, finding such an anomaly is certainly useful for the 
certification of the kinds of application sequences occurred in the network portion 
under examination. 

Reference will now be made to the following figure 6 which gives a 
30 more detailed explanation of what described in the step S9 in figure 5. 

The steps SI 8 and S19 select respectively the single application 
sequence and the characterizing elements of the same, similarly to what described 
with reference to the previous figure 5. The step S20 is to indicate the comparison 
between the application sequence and the preset application rules contained inside 
35 the predetermined data storing unit 18. If a correspondence is found, the flow 
proceeds to a step S2 1 wherein the correspondence found is taken into consideration 
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through the update of the related statistic fields. Steps S18-S20 will be subsequently 
repeated, until the end of the sequences to be classified. If no correspondence is 
found, the application sequence to be classified is new; it can be an anomaly or 
simply an unexpected sequence. In this event, the flow proceeds to a step S22 
5 wherein the statistic fields related to that specific sequence are initialized. 
Furthermore, the new sequence will be inserted in the list of the preset sequences that 
are to be used for the comparison in the step S20. This is also indicated by the double 
pointing of the arrow F14 in the previous figure 4. Said particular sequences, i.e. the 
possible anomalies, can be evidenced in a particular manner to be recognized as 

1 0 such. Further to this, also in this case the steps S18-S20 are repeated until the end of 
the sequences to be classified. In particular, besides the number of crossings for each 
tree branch, it is also possible to monitor uncrossed branches. 

In case there is no preset sequence of application rules, it will always 
be possible for the control unit to reconstruct the communication applications 

15 occurred in the network portion under control (step S9 in figure 5). In this event each 
analyzed application sequence will not be compared with the preset sequences, but 
with the previously analyzed sequences. Therefore, the tree structure containing 
statistic information will be reconstructed by reciprocal comparison of the body 
portion of the information frames. Also in this case, a tree will be constructed and it 

2 0 will be possible to know the number of crossings for each branch. Obviously, in this 
case it will not be possible to monitor the uncrossed branches as there will not be a 
prior knowledge of the existence of said branches. 

Reference will now be made to figures 8A and 8B showing 
respectively an example of an information frame and an example of a tree structure 

2 5 containing statistic information obtained by means of the apparatus according to the 
present invention. 

In figure 8 A it is possible to notice four different fields: a first field 19 
indicating the name of the source or destination processor; a second field 20 
indicating the number of connections in the monitored time interval, a third field 21 

30 indicating the average time length of each connection, counted for example in 
milliseconds, and a fourth field 22 indicating the code of the activity executed. 

Figure 8B indicates the reconstructed tree. A first element El in the 
tree indicates that AS (source) connected 20 times, with an average connection time 
of 0 milliseconds (simple opening of the connection with the destination) and 

35 executed the activity with the code 0. A second element E2, El's only "son", 
indicates that in all those 20 connections FDB (destination) answered with the 
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activity having the code 20, with an average connection time of 20 milliseconds. 
There were two manners of proceeding. AS answered for 18 times (element E3) with 
the activity 0 and twice (element E4) with the activity 1 . The tree proceeds with other 
elements, whose meaning is now clarified by the context. The tree herewith disclosed 
5 is the result of the logical ordering operated in the steps S9 or S10 in figure 5. 

It is to be noted that the monitoring of the contents in the fields 19 and 
22 of each element was operated in the step S4 in figure 5. The monitoring of the 
connections among the various elements, i.e. the fact that the element E2 is EFs 
"son" and that the elements E3 and E4 are E2's "sons" was operated either in the 

10 step S9 or in the step S10 in figure 5. 

The data flow relating to a particular application intercurred between one or 
more determined processors upstream of a source node and one or more determined 
processors downstream of a destination node can be therefore reconstructed, in the 
sense of univocally determined in all its component parts. Therefore, what is 

15 reconstructed is the conversation relating to one or more client/server applications. 
The logical reconstruction can take the form of the tree structure of figure 8B. Thus, 
communications relating to different applications (which therefore originate different 
application trees) can be reconstructed, and on the same source processor also more 
client-applications (relating to different server-applications) can be present. In the. 

2 0 same way, on a destination processor more server applications can be present. 

Having ended the detailed description of an apparatus for monitoring 
and interpretation of network application protocols, herebelow the structure and the 
operation of the remaining components of the network access monitoring device 
according to the present invention will be described in detail. 

2 5 The preferred connection mode of said device is a series connection, 

on Ethernet networks for 10 Mbits (connectors rj58 and rj45) and for 100 Mbits 
(ij45) or more. 

The OSI layer 2 supported protocols will be all the protocols 
encapsulated in Ethernet, like 802.3, DOD IP, ARP etc. 
30 The OSI layer 3 supported protocols will be all the protocols 

encapsulated in the various OSI layer 2 protocols, like TCP/IP, UDP/IP, 
Netbios/IEEE 802.3, SNA/IEEE 802.3 etc. 

First of all, reference will be made to figure 9, showing a block 
diagram of the access control device according to the present invention. The various 
35 blocks in figure 9 will be described herebelow one at a time. 
Element 201: 
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It is the element storing the pattern recognition rules. The archive of 
the recognition rules is created reading a file or, e.g. directly typing in the rules 
through the keyboard. 

Firstly, it should be assumed that said recognition rules are indicated 
5 as <data type>/<data value> pairs. 

For instance, a recognition pattern of an Internet browsing request by 
a client with the address 192.23.40.1 to a web server of address 210.20.20.6 has the 
following structure: 

(ETH_PROT, IP), 
10 (IP_SRC_ADDR, 192.23.40.1), 

(IP_DST_ADDR, 210.20.20.6), 
(TCP_DST_PORT, HTTP) 
wherein: 

the first pair (ETH_PROT, IP) indicates that the protocol contained in the 
1 5 Ethernet layer must be the IP protocol; 

the second pair (IP_SRC_ADDR, 192.23.40.1) indicates that the IP address 
of the packet sender must be the one indicated; 

the third pair (IP_DST_ADDR, 210.20.20.6) indicates that the IP address of 
the packet receiver must be the one indicated; and 
2 0 the fourth pair (TCP_DST_PORT, HTTP) indicates that the TCP service used 

is the HTTP (web) one. 

The identification numbers on the right of the pairs can also assume 
values that are not predetermined, for instance if it is desirable to identify all the 
addresses of a subnetwork. In this case the address of the previous example can be 
2 5 expressed as 210.20.20.* where the symbol * (asterisk) indicates a joker value, i.e. 
all the possible values that can be in that position. In the same pair two or more 
asterisks may appear: e.g., 210.*.20.*, thus indicating a set of 65536 (or more) 
different addresses. Other accepted configurations are e.g.: 2*. 20.20.* indicating all 
the addresses beginning with 2 and ending with a subaddress comprised between 0 
30 and 255 (in this case a total of 100*256=25600 different addresses). 

A further example of a recognition pattern for the IBM NetBios 
protocol between two processors is the following: 
(ETH_PROT, IEEE802), 
(IEEE802_DST_SAP, IBM_NETBIOS) 
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When wishing to force the recognition of the network cards involved in the 
NetBios communication (6 bytes, including the card issuer code and the card 
number), the pattern becomes: 

(ETHSRC_ADDR, 0xFF45DE782201), 

(ETH_DST_ADDR, 0xF237C81 1000F), 

(ETH_PROT, IEEE802), 

(IEEE802_DST_SAP, IBM_NETBIOS). 

Element 202: 

It is the pattern compiler, consisting of a conversion element for 
converting the rules contained in 201 into a set of sequences of numerical 
identificators and consisting of a compression element for compressing the 
identificators thus obtained. 

0 Conversion element 

The recognition rules appearing as <data type>/<data value> pairs are 
converted into sequences of numerical identificators, constituting the basis for the 
recognition of the frames read from the network. 

For instance, given the rule 

(ETH_PROT, IP), 

(IP_SRC_ADDR, 228.186.33.90), 

(IPJDST_ADDR, 41.240.227.149), 

(TCPJ)ST_PORT, HTTP) 

it follows that: 

a) the first pair (ETH_PROT, IP) is converted into two hexadecimal data pairs 
(in which the Ox prefix indicates that the subsequent value is represented in 
hexadecimal): 

OxOC 0x0800 

0x49 0x06 

wherein: 

- the first row contains two values, 0C and 0800. The digit farther left of the 
first value (0) identifies an Ethernet frame. The second digit of the first value (C) 
indicates the position inside the frame(13th byte, considering the first one to be in 
position 0). The second value (0800) is the identification code of the IP protocol 
when contained in an Ethernet frame; and 

- the second row contains two values, 49 and 06. The digit farther left of the 
second value (4) identifies an IP net. The second digit of the first value (9) indicates 
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the position inside the net. The second value (06) identifies the TCP protocol 
contained in IP. 

b) the second pair (IP_SRC_ADDR, 228.186.33.90) is converted into four 
hexadecimal data pairs: 

5 0x4C 0xe4 

0x4D Oxba 
0x4E0x21 
0x4F 0x5a 

wherein each pair indicates respectively the IP frame(4), the position (from C . 
10 to F) and the value of each single element constituting the source address: in fact e4 
in hexadecimal corresponds to 228 in decimal, ba in hexadecimal corresponds to 186 
in decimal, 21 in hexadecimal corresponds to 33 in decimal and 5a in hexadecimal 
corresponds to 90 in decimal. 

c) the third pair (IP_DST_ADDR, 41.240.227.149) is converted into four 
1 5 hexadecimal data pairs: 

0x410 0x29 
0x411 OxFO 
0x412 0xE3 
0x413 0x95 

2 0 wherein each pair indicates respectively the IP frame(4), the position (from 

10 to 13) and the value of each single element constituting the destination address: in 
fact 29 in hexadecimal corresponds to 41 in decimal, F0 in hexadecimal corresponds 
to 240 in decimal, E3 in hexadecimal corresponds to 227 in decimal and 95 in 
hexadecimal corresponds to 149 in decimal. 

25 d) the fourth pair (TCPJDSTJPORT, HTTP) is converted into a pair of 

hexadecimal data: 

0x82 0x0080 

in which the digit farther left of the first value (8) indicates the TCP frame, 
the second digit of the first value (2) indicates the position inside said frame (the 
30 third starting from zero) whereas the second value 0080 indicates the HTTP service 
(the one used by web applications). 

Therefore, starting from rule 
(ETH_PROT, IP), 
(IP_SRC_ADDR, 228.186.33.90), 
35 (IP_DST_ADDR, 41.240.227.149), 

(TCP_DST_PORT, HTTP) 
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the sequence 

OxOC 0x0800, 0x49 0x06, 0x4C 0xe4, 0x4D Oxba, Ox4E 0x21, Ox4F 0x5a, 
0x410 0x29, 0x41 1 OxfO, 0x412 Oxe3, 0x413 0x95, 0x82 0x0080 
is obtained. 

5 It is intended that all the conversions hereto described are made possible 

through a sequential comparison of each of the <data type>/<data value> pairs with a 
table storing all possible <data type>/<data value> pairs together with the 
corresponding hexadecimal data pair. 

Actually, a more extended form can be used for the rules thus defined, 
10 capable of being semantically represented by the <object>/<action> pair. The 
<object> field indicates the set of properties (including the value) assumed by the 
element currently under examination, whereas the <action> field expresses the 
actions that are to be executed after having recognized said object in the 
communication frame. 

15 For instance, in the hexadecimal pairs of the <data type>/<data value> 

kind it is apparent how the <data type> field contains a double information, i.e. both 
the protocol (or the frame type) to which reference is made, and the position inside 
said protocol. 

In the event of complex application protocols, the monitored frames 
20 are usually represented by means of a language of the LL(1) type (i.e., according to 
the definition of Chomsky, a language having no control structures and with no 
limitations for the definition of the interpretation processes of the information 
structures). In this event, the <action> field will make reference to a minimal set of 
basic instructions reported herebelow: 
25 -Push 
<value> 
<variable> 
<reading position> 
<value at the reading position> 
30 -Pop 

<variable> 

<reading position> 

<in the reading position> 

-And 

35 -Mul 
-Add 
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- Equal 
-Next 

- F_send_all 

- F_dynamic 

5 

Herebelow a schematic outline of the meaning of said basic 
instructions is provided for sake of completeness. 

- Push <value> inserts a value in the stack dedicated to the recognition 
process under way, for instance: PUSH(35), the value 35 is inserted in the stack; 

10 - Push <variable> inserts the content of a variable in the stack dedicated to the 

recognition process under way, for instance: PUSH(vl2), if the value of the H vl2" 
variable is 8, then 8 is inserted in the stack; 

- Push <reading position> inserts in the stack dedicated to the recognition 
process under way the position of the value currently read in the input stream, for 

15 instance PUSH(pos) if the value of pos, a variable indicating the reading position, is 
5, then 5 is inserted in the stack; 

- Push <value at the reading position> inserts the value read in the input 
stream under recognition in the "reading position" in the stack dedicated to the 
recognition process under way, e.g. PUSH(v_pos), if the value of pos, a variable 

2 0 indicating the reading position, is 5 and if at position 5 of the input stream there is 
the value 30, then 30 is inserted in the stack; 

- Pop <variable> inserts the stack head in the "variable" variable e.g. 
POP(v3), if the value 10 was inserted in the stack head, meaning that the last 
operation performed with the stack was e.g. push(10), then the value 10 goes into the 

25 "v3" variable; 

- Pop <reading position> inserts the stack head in the variable indicating the 
successive position to be read in the input stream, e.g. POP(pos), if in the stack head 
the value 10 has been inserted, then the next element that will be read by the input 
stream will be the one in position 10; 

30 - Pop <in the reading position> inserts the stack head in the position indicated 

by the variable indicating the next position to be read in the input stream, e.g. 
POP(v_pos), if the value 10 has been inserted in the stack head, the value of the next 
element that will be read by the input stream will be 10; 

- And, Mul, Add, Or, Sub are all logical and arithmetical operations. The 
35 operation is performed on the values contained in the first two stack positions, the 

result becomes the stack head and the two used values are removed from the stack; 
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example: the logical arithmetical operations follow the reversed Polish notation 
(RPN). It is now supposed to have to execute the operation 10*30 to be executed: the 
entailed program will be: 

PUSH(10) 
5 PUSH(30) 

MUL 

now, in the stack head there is 300=30* 10. 

- Equal <value>, Equal <variable>, Equal <reading positions Equal <value 
at the reading position> verifies whether in the stack head there is a value equal to 

1 0 the one forwarded as a parameter. The result (0 if different, 1 if equal) is inserted in 
the stack head; 

- f_send_all is a function that, when operated, reports the entire input stream 
to the output; 

- Next <value>, Next <variable> increments of the value contained in "value" 
15 or of the value contained in "variable" the variable indicating the input stream 

position from which the next value is to be read; lastly 

- f_dynamic( ,! name") operates the "name" function connected to the 
coordinating element through dynamic connection mechanisms (as DLL in Windows 
or shared_libraries in UNIX, or RPC/DCE mechanisms, ...) forwarding thereto the 

2 0 values contained in the stack as parameters. 

A possible implementation syntax (adopted from C language) of the 
set of the <item>/<action> pairs can be the following one: 
typedef struct _item { 

unsigned char object; 
2 5 unsigned long int action; 

} Item; 

typedef struct ^record { 
int num_of_i terns; 
30 Item * items; 

} Record; 



Record * input_second_step; 



35 



wherein: 
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- the "object" field is expressed as a single byte ("unsigned char"). Such a 
choice does not entail limitations, since an entire value (2 to 4 bytes long) can be 
considered as a sequence of bytes and therefore it can be processed one byte at the 
time; and 

5 - the field "action" is expressed as "unsigned long int". Hence, it can 

represent both a number (compatible with the first notation) and a pointer to a 
structure or to a set of functions (compatible with the second notation). 

Usually the number of different sequences is very high. By way of 
example, taking into consideration exclusively the TCP-IP protocol, for a relatively 

10 low number of 1000 "clients'* (i.e. of processors using application services made 
available by other processors) and of 10 "servers'* (i.e. of processors providing 
application services to the clients) and of an average of 10 application services per 
"server" (as e.g. FTP, TELNET, HTTP, MAIL, NFS, TIME, DNS), in order to 
discriminate all the possible "pairings' 1 among client-server-service, rules indicating 

15 1000*10*10=100000 different pattern sequences in the communication frames have 
to be determined. 

This number, already well above the dimension deeemed acceptable 
for the internal addressing tables of the routers and of the commercial firewalls, 
increases very rapidly when rules operating not merely at the level of a control 

2 0 portion of the communication protocols, but operating on the level of the data portion 
as well are determined, as is the case in the present invention. 

The above defined language of rules allows to write rules allowing the 
identification of elements of the data portion of the communication protocol: in fact, 
if not merely the "identification" of a "client" is desirable, but also when he tries to 

2 5 access a specific WEB page from a network (which is possible by means of the 

present invention), it is not enough to operate at a level of the communication 
protocol control portion (only the fact that a command was sent at the level of an 
HTTP service would be recognized) being it necessary instead to operate at a level of 
the TCP-IP protocol data portion in order to identify the particular string determining 

3 0 access to the WEB page requested by the client. 

In Annex A a second example of language is reported. 

ii) Compression element of the set of sequences obtained in a direct access 
data structure 

35 Said second element of the pattern compiler 202 allows a construction 

of the compression data structure ensuring a constant access time (i.e., regardless of 
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the number of sequences) and an optimal memory occupation (i.e., equal to the 
amount of memory required to store sequences in a non structured way multiplied for 
a constant value) for recognition of the sequences stored in said structure in the 
communication frames that are readable from a network. Moreover it is possible to 
update such a data structure in a number of steps proportional to N*log(N), where N 
is the number of new sequences to be inserted. 

In particular, reference will be made to the articles: 

a) "Time Optimal Digraph Browsing on a Sparse Representation", 
Mathematics Department Tech. Report, Tor Vergata University of Rome 8/97, 1997 
by M. Talamo and P. Vocca; 

b) "Optimal Bounds on Complexity of Sparse Partial Orders", Mathematics 
Department Tech. Report, Tor Vergata University of Rome, 9/97, 1997 by M. 
Talamo and P. Vocca; 

c) "Optimal Digraph Search on a Compressed Representation", Mathematics 
Department Tech. Report, Tor Vergata University of Rome, 11/98, 1998 by M. 
Talamo and P. Vocca; and 

d) "Compact Implicit Representation of Graphs", WG98 proceedings, June 
1998 by M. Talamo and P. Vocca. 

In said articles data structures allowing a constant time access, i.e. 
regardless of the number of data represented by them, are described. 

The algorithm for obtaining said data structures is applied to access 
structures of the "bipartite graph" kind, e.g. as the one represented in figure 10A. In 
such a graph the nodes can be separated into two separate subgroups (from A to E 
and from 0 to 4 in figure), in such a way that each node belonging to a first subset 
can be connected only with nodes belonging to the second subset and vice versa. 
With reference to figure 10A, node A is connected with node 0 and node 2, node B is 
connected with node 0 and node 2, node C is connected with node 1 and node 4, 
node D is connected with node 3, and node E is connected with node 3. 

Such connections can be expressed by means of a bidimensional 
matrix of the kind reported in figure 10B, where with the symbol x the connections 
active between lines and columns have been represented. Therefore, it can be 
concluded that the bipartite graphs are equivalent to the bidimensional matrices and 
that therefore the constant time accessibility results obtained with reference to the 
above cited article can also apply to structures such as bidimensional matrices. 
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Therefore, the compression element will compress the sequences 

obtained through the conversion element, and will generate a variety of 

bidimensional matrices indicating such sequences. 

* * * 

The algorithm by which the compression element operates, described 
herebelow, (from STEP 1 to STEP 11) is intended to be implemented in any suitable 
programming language (e.g. in C language) and stored in a ROM. 

The input to the algorithm consists in the sequence of numerical 
identificators (records) of a preset variable length. 

By way of example, together with the various algorithm steps a 
complete compilation cycle for a specific practical case will be reported, in order to 
fully describe the operation manners of the algorithm itself Accordingly, reference 
to communication structures of the Ethernet kind will be made again. Obviously, the 
operation of the control device according to the present invention remains unaltered 
even in the event the apparatus for monitoring and interpretation does not provide 
Ethernet frames monitored on the network, but directly provides instead TCP/IP 
communications or anyhow very long data streams. 

STEP 1 (specification of predetermined rules, see also figure 11): 
It is supposed to have to manage and coordinate Ethernet communication 
frames by means of the following connection diagrams: 

connection a) 132.147.200.10 can connect with 132.147.160.1 only for the 
service: 

- WWW, service TCP 80. 

connection b) 132.147.200.10 can connect with 132.147.160.2 for the 
services only: 

- SMTP, service TCP 25; 

- NETBIOS, services TCP 137, 138 and 139. 

connection c) 132.147.200.20 can connect with 132.147.160.1 only for the 
services: 

- FTP, services TCP 20 and 21; 

- TELNET, service TCP 23. 

connection d) 132.147.200.20 can connect with 132.147.160.2 only for the 
services: 

- SMTP, service TCP 25; 

- WWW, service TCP 80. 
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connection e) 132.147.200.20 can connect with 132.147.160.3 only for the 

services: 

- WWW, service TCP 80; 

- SNMP, services TCP 161 and 162; 

- NFS, service TCP 2049; 

- TELNET, service TCP 23. 

Further, all the communications of the ARP (Ethernet layer protocol) and 
ICMP (IP-layer protocol) kind will have to be accepted. 

STEP 2 (conversion of rules in a set of sequences): 

A set of 17 records (in which each record consists of a set of <item>/<action> 
pairs) is obtained based on said connection diagram. In particular, record 1 represents 
connection a), records 2 to 5 represent connection b), records 6 to 8 represent 
connection c), records 9 to 10 represent connection d), records 11 to 15 represent 
connection e), record 16 represents the Ethernet ARP protocol, and lastly record 17 
represents the ICMP protocol in IP. 



Connection a) 
RECORD 1 
0x08, OxOOOC 
0x00, OxOOOD 
0x06, 0x4009 
0x84, 0x400C 
0x93, Ox400D 
0xC8, 0x400E 
OxOA, 0x400F 
0x84, 0x4010 
0x93,0x4011 
OxAO, 0x4012 
0x01,0x4013 
0x00, 0x8002 
0x50, 0x8003 



IP protocol in Ethernet 
TCP protocol in IP 



132.147.200.10 



132.147.160.1 
WWW 80 



Connection b) 
RECORD 2 



0x08, OxOOOC 
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0x00, OxOOOD 
0x06, 0x4009 
0x84, 0x400C 
0x93, 0x400D 
0xC8, 0x400E 
OxOA, 0x400F 
0x84, 0x4010 
0x93,0x4011 
OxAO, 0x4012 
0x02, 0x4013 
0x00, 0x8002 
0x19, 0x8003 

RECORD 3 
0x08, OxOOOC 
0x00, OxOOOD 
0x06, 0x4009 
0x84, 0x400C 
0x93, 0x400D 
0xC8, 0x400E 
OxOA, 0x400F 
0x84,0x4010 
0x93,0x4011 
OxAO, 0x4012 
0x02, 0x4013 
0x00, 0x8002 
0x89, 0x8003 

RECORD 4 
0x08, OxOOOC 
0x00, OxOOOD 
0x06, 0x4009 
0x84, Ox400C 
0x93, 0x400D 
0xC8, 0x400E 
OxOA, 0x400F 
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IP protocol in Ethernet 
TCP protocol in IP 



132.147.200.10 

132.147.160.2 
SMTP 25 

IP protocol in Ethernet 
TCP protocol in IP 



132.147.200.10 

132.147.160.2 
NETBIOS 137 

IP protocol in Ethernet 
TCP protocol in IP 



132.147.200.10 
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0x84, 0x4010 
0x93, 0x4011 
OxAO, 0x4012 
0x02, 0x4013 
0x00, 0x8002 
0x8A, 0x8003 

RECORD 5 
0x08, OxOOOC 
0x00, OxOOOD 
0x06, 0x4009 
0x84, 0x400C 
0x93, 0x400D 
0xC8, Ox400E 
OxOA, Ox400F 
0x84, 0x4010 
0x93, 0x4011 
OxAO, 0x4012 
0x02, 0x4013 
0x00, 0x8002 
0x8B, 0x8003 

Connection c) 
RECORD 6 
0x08, OxOOOC 
0x00, OxOOOD 
0x06, 0x4009 
0x84, 0x400C 
0x93, 0x400D 
0xC8, 0x400E 
0x14, 0x400F 
0x84, 0x4010 
0x93,0x4011 
OxAO, 0x4012 
0x01,0x4013 
0x00, 0x8002 
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132.147.160.2 
NETBIOS 138 

IP protocol in Ethernet 
TCP protocol in IP 

132.147.200.10 

132.147.160.2 
NETBIOS 139 

IP protocol in Ethernet 
TCP protocol in IP 

132.147.200.20 

132.147.160.1 
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0x14, 0x8003 

RECORD 7 
0x08, OxOOOC 
0x00, OxOOOD 
0x06, 0x4009 
0x84, 0x400C 
0x93, 0x400D 
0xC8, 0x400E 
0x14, 0x400F 
0x84,0x4010 
0x93,0x4011 
OxAO, 0x4012 
0x01,0x4013 
0x00, 0x8002 
0x15,0x8003 

RECORD 8 
0x08, OxOOOC 
0x00, OxOOOD 
0x06, 0x4009 
0x84, 0x400C 
0x93, 0x400D 
0xC8, 0x400E 
0xl4,0x400F 
0x84, 0x4010 
0x93,0x4011 
OxAO, 0x4012 
0x01,0x4013 
0x00, 0x8002 
0x17, 0x8003 

Connection d) 
RECORD 9 
0x08, OxOOOC 
0x00, OxOOOD 
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FTP 20 



IP protocol in Ethernet 
TCP protocol in IP 



132.147.200.20 

132.147.160.1 
FTP 21 

IP protocol in Ethernet 
TCP protocol in IP 



132.147.200.20 

132.147.160.1 
TELNET 23 

IP protocol in Ethernet 
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0x06, 0x4009 
0x84, 0x400C 
0x93, 0x400D 
0xC8, Ox400E 
0x14, 0x400F 
0x84, 0x4010 
0x93, 0x4011 
OxAO, 0x4012 
0x02, 0x4013 
0x00, 0x8002 
0x19, 0x8003 

RECORD 10 
0x08, OxOOOC 
0x00, OxOOOD 
0x06, 0x4009 
0x84, 0x400C 
0x93, Ox400D 
0xC8, Ox400E 
0x14, 0x400F 
0x84, 0x4010 
0x93,0x4011 
OxAO, 0x4012 
0x02, 0x4013 
0x00, 0x8002 
0x50, 0x8003 

Connection e) 
RECORD 1 1 
0x08, OxOOOC 
0x00, OxOOOD 
0x06, 0x4009 
0x84, 0x400C 
0x93, 0x400D 
0xC8, 0x400E 
0x14, 0x400F 



- 29 - 
TCP protocol in IP 

132.147.200.20 

132.147.160.2 
SMTP 25 

IP protocol in Ethernet 
TCP protocol in IP 

132.147.200.20 

132.147.160.2 
WWW 80 



Ethernet IP protocol 
TCP/IP protocol 



132.147.200.20 
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0x84, 0x4010 
0x93,0x4011 
OxAO, 0x4012 
0x03,0x4013 
0x00, 0x8002 
0x50, 0x8003 

RECORD 12 
0x08, OxOOOC 
0x00, OxOOOD 
0x06, 0x4009 
0x84, 0x400C 
0x93, 0x400D 
0xC8, 0x400E 
0x14, 0x400F 
0x84,0x4010 
0x93,0x4011 
OxAO, 0x4012 
0x03,0x4013 
0x00, 0x8002 
OxAl, 0x8003 

RECORD 13 
0x08, OxOOOC 
0x00, OxOOOD 
0x06, 0x4009 
0x84, 0x400C 
0x93, Ox400D 
0xC8, 0x400E 
0x14, 0x400F 
0x84, 0x4010 
0x93, 0x401 1 
OxAO, 0x4012 
0x03, 0x4013 
0x00, 0x8002 
0xA2, 0x8003 



- 30 - 

132.147.160.3 
WWW 80 

IP protocol in Ethernet 
TCP protocol in IP 

132.147.200.20 

132.147.160.3 
SNMP 161 

IP protocol in Ethernet 
TCP protocol in IP 

132.147.200.20 

132.147.160.3 
SNMP 162 
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RECORD 14 
0x08, OxOOOC 
0x00, OxOOOD 
0x06, 0x4009 
0x84, 0x400C 
0x93, 0x400D 
0xC8, 0x400E 
0x14, 0x400F 
0x84, 0x4010 
0x93,0x4011 
OxAO, 0x4012 
0x03,0x4013 
0x08, 0x8002 
0x01, 0x8003 



IP protocol in Ethernet 
TCP protocol in IP 



132.147.200.20 



132.147.160.3 
NFS 2049 



RECORD 15 
0x08, OxOOOC 
0x00, OxOOOD 
0x06, 0x4009 
0x84, 0x400C 
0x93, 0x400D 
0xC8, 0x400E 
0x14, 0x400F 
0x84, 0x4010 
0x93,0x4011 
OxAO, 0x4012 
0x03,0x4013 
0x00, 0x8002 
0x17, 0x8003 



IP protocol in Ethernet 
TCP protocol in IP 



132.147.200.20 



132.147.160.3 
TELNET 23 



and lastly 
RECORD 16 
0x08, OxOOOC 
0x06, OxOOOD 



ARP protocol in Ethernet 
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RECORD 17 
0x08, OxOOOC 
0x00, OxOOOD 
0x01, 0x4009 



IP protocol in Ethernet 
ICMP protocol in IP 



The structure thus obtained can be expressed in a matricial form, 
according to the representation in figure 12. It is to be noted that the various records 
can have different lengths. In fact, there are 15 records of length 13, 1 record of 
length 2 and 1 record of length 3. 

STEP 3: 

Set CONT = 0 

STEP 4: 

Column 0 and column CONT of the above reported sequence are taken, and a 
new sequence of records containing only 2 items (the one in column 0 and the one in 
column CONT) is created. 

STEP 5: 

Doubles are eliminated from this new sequence of records. 

STEP 6: 
Set ROW=0 

STEP 7: 

A weighted bipartite graph is created with the new record sequence, by 
inserting for each record: 

- the value of the item in position 0 (upper node id); 

- the value of the item in position CONT (lower node id); 

- the action of the item in position CONT (as the first weight of the arc 
between the two nodes); 

- ROW (as the second weight of the arc between the two nodes). 

Further, for each pair of inserted nodes, the item value in the position 0 in the 
original record sequence is replaced with the new ROW value, and then 
ROW=ROW+l is set. 
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STEP 8: 

The bipartite graph thus obtained is converted into a bidimensional matrix 
and a vector by means of the basic algorithm of which at the above mentioned 
articles. Note however that the algorithm described herewith constitutes an extension 
of said basic algorithm, in particular concerning the previous step 7. 

STEP 9: 

The bidimensional matrix and the vector are stored. 
STEP 10: 

Set CONT=CONT+l 
STEP 11: 

If CONT is not equal to the maximum number of items of the records the step 
4 is repeated, else the algorithm is ended. 

* * * 

The sequence of bidimensional matrices and vectors constitutes the 
compressed data structure that will be used for recognition of the input streams. Such 
structure is accessible in a direct manner. 

Herebelow again reference to figure 9 will be made. 
Element 203 (memory containing the compressed patterns): 

Such element consists of the sequence of matrices resulting from the 
above mentioned compression algorithm. By virtue of the high compression rate of 
said algorithm, the dimension of this sequence of matrices is directly proportional to 
the number of active connections of the original matrix, being therefore directly 
storable in the central memory. In case of a high number of active connections 
(> 100.000.000), said sequence of compressed matrices can be managed by means of 
mass storage devices. 

Element 204 (pattern recognizer): 

Such element allows the comparison between the application frames 
to be recognized, monitored by means of the element 205 and the direct access data 

structure stored in 203. 

The element 204 is realized in a microchip, and it substantially 
consists of a software implementing a direct accessing technique on matrices, in 
order to access the matrices stored in 203. 
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Therefore, the acceptability or non acceptability of the frame read 

from the network can be recognized in a completely deterministic way. 

* * * 

In order to provide a detailed example of the operation of said 
5 recognizer, herebelow first of all the structure of the matrices stored in 203 is 
reported, using a syntax similar to that of the C language: 
//Structure for a bidimensional Matrix and a vector 
typedef struct _matrices_AB { 

unsigned long int row_a; //Number of rows of the matrix 
1 o unsigned long int col_a; //Number of columns of the matrix 

unsigned long int col_b; //Number of elements of the vector 
unsigned long int **mA; //Matrix of Values 
Action ***mP; //Matrix of Actions 

unsigned long int *mB; //V ector 
15 } mat_AB; 

typedef struct _vec_matrices_AB { 

mat__AB * MAB; //Set of matrices and vectors 

unsigned long int num_mab;//Number of matrices and vectors 
20 } * Vec_mat_AB; 

Five input records and the resulting matrices are reported herebelow. 
In such example the description of the records is performed by means of the 
<item>/<action> syntax hereto reported. The associated actions are extremely 
25 simplified (a single action per each recognition). Moreover, for sake of simplicity, 
the recognition is assumed to begin always from the first byte of the input stream. 

RECORD 1 
0x01 next(l) 
30 0x03 next(l) 

0x02 f_send_all 

RECORD 2 
0x01 next(l) 
35 0x06next(l) 

0x04 f send all 
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RECORD 3 
0x02 next(l) 
0x07 next(l) 
0x03 f_send_all 

RECORD 4 
0x01 next(l) 
0x02 f_send_all 

RECORD 5 
0x05 next(l) 
0x01 f_send_all 

For next(l) the action of positioning on the successive byte in the data 
stream is intended. For f_send_all the action of forwarding of to the outside all the 
data stream is intended. 



By means of the aforedescribed algorithm the following matricial 
structure is obtained: 
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1 


MATRIX OF VALUES 


MATRIX OF ACTIONS 


VECTOR B 




0 


[ X] 


(1, 0)NEXT(1) 


xooxxo 




1 


[ 0] 


(2, 0)NEXT(1) 






2 


[ 1] 


(5, 0)NEXT(1) 






.> 


[ X] 








4 


[ X] 








5 


[ 2] 






2 


MATRIX OF VALUES 


MATRIX OF ACTIONS 


VECTOR B 




0: 


[ X] 


(1, 0) F_SEND_ALL 


0 0 0 




1 


:[ 4] 


(2, 0) F_SEND_ALL 






2 


:[ 0] 


(3, 0)NEXT(1) 






j 


:[ 1] 


(6, 0)NEXT(1) 






4: 


[ X] 


(7, 0)NEXT(1) 






5 


[ X] 








6 


:[ 2] 








7 


:[ 3] 






3 


MATRIX OF VALUES 


MATRIX OF ACTIONS 


VECTOR B 




0: [0 4 ] 


(2, 0) F_SEND_ALL 


00001 




1: 


[X X] 


(3, 0) F_SEND_ALL 






2:[1 X] 


(4, 0) F_SEND_ALL 






3: 


[3 X] 








4: 


\2 X] 







In order not to overburden the present description, the various steps from the 
records to the graphically described matricial structure (after all, simple applications 
of the above described algorithm) will not here be described in detail. Moreover, for 
5 sake of clarity the matrix of values has been represented as physically separated from 
the matrix of actions. 

Instead, the comparison steps that are performed in order to recognize 
or not the monitored data streams will be described in detail. Said steps relate to the 
specific case of matricial structure hereto described. 
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1) EXAMPLE OF RECOGNITION IN THE EVENT THE STREAM IS 
IDENTICAL TO THE RECORD 1 : 0x01 0x03 0x02 
First read value is 0 L 

Being in an initial condition, it is used as an index of the matrix as 

well as of the vector. 

The adopted Matrix/Vector pair is in the position 1 of the above 

reported list. 

The row index of matrix A is determined by the element which has 
been read, i.e. Row A =01, i.e. the first row. 

The column index of matrix A is determined by the value contained 
by vector B at the position corresponding to the element which has been read, i.e. 
Column A =B[0x01]=0, i.e. the 0-th column. 

Therefore, the value reported in A[l, 0], i.e. 0 will be read. Said value 
is the successive index of vector B. 

Next, the action reported in A [1, 0], i.e. the numeric value 
corresponding to the action next(l) will be read. 

Therefore the aforesaid action will be executed, thus proceeding to the 
successive data stream value. 

The successive value will be reached, using then the Matrix/Vector 
pair at position 2 of the above reported list. 

Read value is 03. 

The row index of Matrix A is determined by the element which has 
been read, i.e. Row A =03, i.e. the third row. 

The column index of matrix A is determined by the value contained in 
vector B at the position corresponding to the value reported in A[l, 0] obtained in the 
previous step (i.e. 0). Column A =B[0]=0, i.e. the 0-th column. 

Therefore, the value reported in A[3, 0] i.e. 1 will be read. Such value 

is the next index of vector B. 

Then the action reported in A[3, 0], i.e. the numeric value 
corresponding to the action next(l) will be read. 

Therefore, the aforesaid action will be executed, and the position shall 
be shifted to the next value of the data stream. 

The subsequent value will be reached and the Matrix/Vector pair at 
position 3 of the above reported list will be used. 

Read value is 02. 
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The row index of matrix A is determined by the element which has 
been read, i.e. Row A =02, i.e. the second row. 

The column index of matrix A is determined by the value contained in 
vector B at the position corresponding to the value reported in A [3, 0] obtained in the 
5 previous step (i.e. 1). Column A =B[1]=0, i.e. the 0-th column. 

Therefore, the value reported in A[2, 0], i.e. 1, will be read. Such 
value is the successive index of vector B. 

Then the action reported in A[2, 0], i.e. the numeric value 
corresponding to the action f_send_all, will be read. This means that recognition has 
1 0 occurred. 

2) EXAMPLE OF RECOGNITION IN THE EVENT THE STREAM 
DIFFERS FROM THE RECORDS: 0x04 0x01 

First read value is 04. 

Being in an initial condition, it is used as an index of the matrix as 
15 well as of the vector. 

The adopted Matrix/Vector pair is in the position 1 of the above 

reported list. 

The row index of matrix A is determined by the element which has 
been read, i.e. Row A =04, i.e. the fourth row. 
2 0 The column index of matrix A is determined by the value contained 

by vector B at the position corresponding to the element which is read, i.e. Column 
A=B[04]=X. Therefore the stream is not recognized. 

3) EXAMPLE OF RECOGNITION IN THE EVENT THE STREAM 
DIFFERS FROM THE RECORDS: 0x01 0x05 0x03 

2 5 The first read value is 0 1 . 

Being in an initial condition, it is used as an index of the matrix as 
well as of the vector. 

The adopted pair Matrix/Vector is in the position 1 of the above 

reported list. 

30 The row index of matrix A is determined by the element which has 

been read, i.e. Row A =04, i.e. the fourth row. 

The column index of matrix A is determined by the value contained 

by vector B at the position corresponding to the element which is read, i.e. Column A 

=B[0x01]=0, i.e. the 0-th column. 
35 Therefore, the value reported in A[l, 0], i.e. 0 will be read. Said value 

is the successive index of vector B. 
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Next, the action reported in A[l, 0] i.e. the numeric value 
corresponding to the action next(l) will be read. 

Therefore, the position shall be shifted to the next value and the 
Matrix/Vector pair which is at position 2 in the above reported list will be used. 

Read value is 05. 

The row index of Matrix A is determined by the element which has 
been read, i.e. Row A =05, i.e. the fifth row. 

The column index of Matrix A is determined by the value contained in 
vector B at the position corresponding to the value reported in A[l, 0] obtained in the 
previous step. Column A =B[0]=0. 

Thus, the value reported in A[5, 0], i.e. X will have to be read. 
Therefore, the stream is not recognized. 

Hence, using a direct access technique on matrices, easily operable in 
a microchip, the pattern recognizer is able to recognize the acceptability or the non 
acceptability of the input stream in a completely deterministic manner, in a number 
of accesses to matrices and vectors equaling the number of elements that are 
recognized in the same stream. 

* * * 

Herebelow, reference will be again made to figure 9. 
Element 205: 

It is the component for monitoring and acquisition of the 
communication frames. By means of this apparatus, an example of which has already 
been described in detail with reference to the preceding figures from 4 to 8B, the data 
acquisition also at an application level is made possible, i.e. the piece of information 
related to the layers 4-7 of the OSI standard. Such apparatus will be able to accept 
commands as CONNECT, SEND, RECEIVE and CLOSE in the event high layer 
application protocols have to be managed and coordinated. 
Element 206 (Access control): 

This element, starting from the recognition result operated by element 
204, performs the forwarding action associated to such recognition, or the refusal 
action associated to the failed recognition. 

In the event of acceptance the communication frame will be forwarded 
to the server of reference. 

In the event of refusal, the communication frame will be returned to 
the sender, together with possible explanations of the refusal. In fact, by virtue of the 
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adopted <item>/<action> structure, it will be possible to associate actions, even 
complex ones as the construction of answer streams. 
Element 207 (Access coordination): 

This element, starting from the recognition result operated by element 
5 204, performs the coordinating action associated to such recognition. 

Such coordinating action relates to the individuation of the parameters 
to be forwarded to the server for the required coordination, individuation of the 
sender, formatting of the parameters to be forwarded, sending of parameters, 
acquisition of the answer from the server and forwarding of the obtained answer to 
1 0 element 204 for a possible prosecution of the recognition. 

This approach is made possible by means of the second introduced 
notation, as by virtue of this notation actions can be associated, even complex ones 
as the construction of streams to be forwarded to specific network accessible servers. 
The coordinating element proves useful when the apparatus is used to manage 
15 communication among applications, therefore on high layer protocols (as those 
between client and server applications transferred on a TCP layer). In fact, in this 
event the apparatus, by virtue of the actions associated to input stream recognition, 
can operate changes in the stream for its re-forwarding to other application servers 
provided with different application protocols. A typical event occurs when the 
2 0 mutual operativity and the application cooperation have to be managed in a 
heterogeneous context, and where different "application servers" or different broker 
devices need to coexist (here referring also to the various CORBA -Common Object 
Request Broker Architecture- implementations, always not fully compatible among 
them) in presence of client applications often designed to converse using old 

2 5 application protocols. 

The present invention has been described hereto with reference to one 
of its embodiments, given as non-limiting examples. 

Furthermore, it is intended that there are other possible embodiments 
and kind of services falling within the protective scope of the present industrial 

3 0 property right. 

For instance, it might be provided that the access control device is 
implemented using a board installed on the processor where the "client" applications 
are operating in a context of the client-server type. 

In this way, the fact that the access control device can be programmed by the 
35 client computer administrator can be guaranteed, in order to activate the control/co- 
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ordination/documentation exclusively on the communications that are deemed 
"important" to control/co-ordinate/document. 

As an example, the client administrator can decide: 

- which communications, and therefore which application services are to be 
enabled in input to the client; 

- on which communications, and therefore on which application services, the 
documentation is to be enabled; 

- on which communications, and therefore on which application services, 
specific functions such as authentication, electronic signature etc. are to be 
programmed; 

In the event that there are service centres supplying application services, also 
provided with the access control device according to the present invention, the client 
administrator can decide whether to enable certification services of the application 
services carried out by the objective confirmation of the communication, given by 
the comparison of what was documented by the client and what was documented by 
service centre. 

As an example, the client administrator can: 

- decide to disable the access to certain WEB server, i.e. to certain WEB 
pages made available from a WEB server, 

- decide to enable the documentation of the commercial operations he carried 

out to certain WEB sites, and 

- set the application services for which it is necessary to authenticate the 

transaction by electronic signature. 
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1. II level language grammar 



The language consists of: types for data representation; operators and rules for comprising 
expressions; structures for program flow control; function commands and procedures. 

1.1. Datatypes 

Types can be divided into three classes: representation of numbers, representation of strings and 

representation of sets. 

Types for representation of numbers 

Types for representation of numbers are the following: 

WORD LONG 
WORD HL LONG__HL 
WORD_LH LONG__IjH 

The WORD type represents integers within the range [2' 15 - 2 15 ]. The width of a WORD is of 2 
bytes. Distinction between HL and LH indicates the position of the most representative byte, i.e. 
the first in HL and the second in LH. 

The LONG type represents integers of a very high range [2* 31 - 2 31 ]. The width of a LONG is of 4 
bytes Distinction between HL and LH indicates the position of the most representative byte te. 
the first in HL and the last in LH. All other bytes follow in the order of representation. 
Specification HL/LH takes into account the various representation rules of the data on a frame by 
the various network protocols. The user, having these types, will not have to worry about 
operations related to the reading of the various formats. 
Tvoes for representation of strings 
Types for representation of strings are the following: 

BYTE BYTE ( ) 

STRING 

The first two types are byte-oriented, the last three are string-oriented. 

BYTE indicates the single byte; when followed by a number within round brackets, indicates a 

numerically defined byte sequence. 

STRING indicates a string of characters. 

T ypes for representation of sets 

Types for representation of sets are the following: 

ENUM 

The ENUM type represents the sets of elements of 5 types: WORD, LONG, BYTE, 
BYTE__STREAM, STRING. Syntax for its use is the following: 

ENUM <name> <type> 

name 1, name 2, , nameN 

END 

For instance, a set of IP addresses can be represented as follows: 
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ENUM ip_address BYTE_STREAM 

{ 192, 0, 10, 23} , 
{192,0,11,24}, 
{192, 0, 13, 123} , 
{192, 0, 1,23} , 
{ 192, 0, 10, 323} , 

{ 192, 0, 15, 23} 

END 

ENUM name_host STRING 

"CLIENTl", "CLIENT2" "CLIENTn 

END 



1 .2. Operators and expressions 

Operators can be divided in three classes: 

arithmetic: + - * / = 

bit by bit: I & 

on strings: @ « 

Operators + and - have the same priority, lower than that of * and /. Ail arithmetical operators are 
associative left to right, except for the allocation operator = that follows the opposite direction. 
Operator & indicates the bit by bit AND; operator | indicates the bit by bit inclusive OR. In terms of 
priority, the former is on the same level of *, the latter on the same level of +. 
Binary operator @ indicates concatenation between two variables, to be treated as two strings in 
binary representation. Binary operator « indicates allocation among strings. For instance, 

BYTE (6) stringl; 
STRING string2; 
WORD_HIj num; 
STRING string3; 

Once values have been allocated to stringl , strinq3 and num. the following operation can be 
performed: 

.string3 « stringl @ string2 @ num ; 
Notice the ; at the end of every command. 

Priority and associability rules referring to each operator can be modified in a single expression 
using round brackets (apart from operators « and @ that do not allow brackets). 
For a closer examination of the forming and the use of expressions deriving from the above-listed 
operators see examples herebelow. 



1.3. Control Structures 

In the II level language there is a single control structure having the following processing syntax: 
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TEST (<namevar>) 

IN <range> : control sequence 
IN <range> : control sequence 



DEFAULT : control or blank sequence ending with ; 

END 

The first argument <namevar> indicates the name of a previously declared variable, to which a 
value was given On the basis of the latter the test will define whether it belongs to one of the IN 
blocks herebelow ( in this case the block-associated control sequence shall be executed), or to 
the default block ( in this case the control sequence associated to the default block shall be 
executed). 

The argument <range> can be a variable of the ENUM type, or a string-type constant or a 
number or a numeric range indicated in square brackets. In the two latter cases (number or 
numerical range) the number of bytes referring to the basic comparison is to be .ndicated in 
square brackets. 

If the value of the <namevar> variable belongs to one of the specified <range> the sequence of 
commands associated thereto is executed. In turn, it has to be noted that a sequence of 
commands cannot include a test. Moreover, also the sequence of commands ^^^ ^ 
mandatory block of DEFAULT, a block that is executed even in case no one of the prev ous£ 
prompted IN blocks is executed, can be blank, meaning that a space and a final semicolon follow 
the double colon :. In this event no command will be executed. 
An example of the use of the TEST structure is reported herebelow: 
TEST (ip_source) 

IN ip_address: ; 

IN "\0dl92\0d.0\0d2\0d32" : RETURN 0; 
IN 90-200 [4] : 

GET (0 , eth^type) ; 

PRINT (eth_type) ; 
DEFAULT: RETURN -1; 

END 

The in source variable is of the BYTE<4) type and it is assumed to have been P^tously 
pro mpted and allocated. The io address variable is of the ENUM type; it has been already 
SSSi^^ in the precic^imple. The program idles if the IIL^^J^ 
to the io address set; it gives 0 if it is 192.0.2.32, written as string; executes two commands if it is 
within the range 90 - 200; in ail the other events it gives -1 . 

4. Functions and commands 

Second level language functions are of two types: 

functions of internal library analyseflow.lib; 

functions of an external dli linkable to the program. 
Internal library functions are as follows: 

MOVER (mode , expression) 
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GET (mode, <namevar>) 
PUT (mode , <namevar > ) 
PRINT (< name var>) 

Apart from PRINT, ail functions adopt mode as parameter it indicates an access channel to a 
reference data stream according to which the function specific action is to be executed. The 
channel can be a local one: e.g. mode=1 identifies a local memory buffer; or remote: e.g.. 
mode=1 identifies a TCP connection opened with a client , or a connection opened with a remote 
DBMS. Besides a predetermined set of access channels, the user can define specific TCP 
services. This operation is allowed by the command #listen followed by a number identifying a 
TCP service. 

The MOVER function shifts the cursor associated to the data stream selected with mode, for a 
number of bytes that equals the one which is the result of the expression of the second 
parameter. The function defines the current position of each cursor according to which a function 
defines the current position of each cursor, according to which the other functions will operate. 

The GET function gives a value to the variable indicated with the <namevar> parameter taking it 
from the stream indicated with the mode parameter, in the current position of the cursor 
associated to the stream itself. 

The PUT function gives a value to the variable indicated with the <namevar> parameter, data 
.stream indicated with mode parameter, in the current position of the cursor associated to the 
stream itself. 

The PRINT function prints to video the value of the <namevar> variable previously defined and 
initialized. 



The program further allows functions from an external dli. These functions are inserted in a preset 
buffer and have predetermined names (u_fj, uJL2, etc.). The dll has to be constructed so as to 
let this operation occur correctly. In particular 

• it has to be constructed as a succession of functions, each having a serial number 
which is same of a host function of the preset buffer 

• it has to be constructed in Visual C++ language; 

• each function forming it has to have the following structure: 

int namefunct (int numparameters, char **parvett, long *dim_vett) 

The first parameter is an integer, indicating the number of effective parameters required by the 

function to carry out the operations that are up to it; the second parameter is a pointer to an array 

of character pointers; the dimension of the array is numparameters; each pointed buffer is a 

parameter. Finally, the third parameter is a pointer to an array of long integers. Each element of 

the array indicates the dimension of the string representing the corresponding parameter. 

The #define command allows to rename these functions with names that can be used inside the 

program. 



Procedures 

The II level language enables to define procedures according to the following syntax: 
START <nameproc> 

Set of commands forming the procedure. 

END 

A procedure can be recalled by another with the <nameproc> command. I.e., a procedui 
a homonymous command provided for the purpose. E.g.: 
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TEST (ip_source) 

IN ip_address: procl () ; 
DEFAULT: RETURN -1; 

END 

In the example procK) indicates the recalling of procedure prod defined in the program. For 
further explanation see herebelow the subparagraph procedure on the program structure and the 
final example. 



1.6. The program structure 

The program structure in the second level language, as it can be seen in the example herebelow, 
is the following: 

DEFINE BLOCK 
LISTEN BLOCK 

ENUM TYPES DECLARATION BLOCK 
START MAIN PROCEDURE 
DECLARATION OF VARIABLES 
COMMAND SEQUENCE 
END MAIN PROCEDURE 
SUBPROCEDURES BLOCK 

or, more unequivocally: 

#define my_f unctO u_f_0 
# define my_funct0 u__f_l 



# define my__funct0 u_f_n 

ilisten tcp_servl 
#listen tcp_serv2 
ilisten tcp_serv3 

enum <namel> type 
namell, naicie!2, . . . . , nameln 
end 



enum <nameml> type 
nameml , namem2 namemn 
end 

START main 

DECLARATION OF VARIABLES 
PROGRAM COMMANDS 

END 

START procl 

PROCEDURE COMMANDS 

END 



START procn 

PROCEDURE COMMANDS 

END 



1 .7. The run-time performance of the language 

A program in that language is a straight-line program where all the instructions look the same time 
at execution level In particular the test instruction took a constant time a execution level, 
independently, from the number of IN clauses and from the type and dimension of IN clauses 
(string, enum,...). 
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CLAIMS 

1. A network access control device through deterministic recognition of 
application frames satisfying a set of predetermined rules comprising: 

- means (205) for monitoring and interpretation of the application frames to 
recognize; 

- means (201) for storing predetermined rules; 

- means (202) for compiling the predetermined rules in a direct access data 
structure; 

- means (203)for storing said direct access data structure; and 

- means (204) for comparing the application frames to be recognized with 
said direct access data structure, 

wherein the recognition is able be performed on any frame component and 
the direct access data structure allows an access time substantially independent from 
the number of rules. 

2. The access control device according to claim 1, characterized in that said 
compiling means (202) of the predetermined rules comprise: 

- conversion means, for converting the predetermined rules in a set of basic 
sequences of numerical identifiers; and 

- compression means, for compressing the set of sequences thus obtained in a 

direct access data structure. 

3. The access control device according to claim 1 or 2, characterized in that it 
further comprises forwarding means, for forwarding the application frame when 
recognized and return-to-sender means, for returning of the application frame when 
not recognized. 

4. The access control device according to claim 3, characterized in that said 
return-to-sender means, for returning the application frames when not recognized, 
return information related to the reason of the failed forwarding. 

5. The access control device according to any of the preceding claims, 
characterized in that the predetermined rules are stored as pairs of <object>/<action> 
fields. 
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6. The access control device according to claim 5, characterized in that the 
predetermined rules are stored as pairs of <data type>/<data value> fields. 

7. The access control device according to claim 5 or 6, characterized in that 
the predetermined rules include one or more joker values. 

8. The network access monitoring device according to claim 5, characterized 
in that the field <action> refers to the minimal set of commands 

-Push 

<value> 

<variable> 

<reading position> 

<value at the reading position> 

-Pop 

<variable> 

<reading position> 

<at the reading position> 

-And 

-Mui 

-Add 

- Equal 
-Next 

- F_send_all 

- F_dynamic. 

9. The access control device according to claims 2 and 5, characterized in that 
the direct access data structure is represented through a matricial structure 
comprising object fields and action fields. 

10, The access control device according to any of the preceding claims, 
characterized in that the means (205) for monitoring and interpretation of the 
application frames comprise: 

a) a data packets monitoring device (9) at a layer corresponding to the OSI 
layer 2, said data packets comprising control frames and information frames, wherein 
the control and information frames contain a header portion and a body portion, said 



WO 00/10304 



PCT/IT99/00262 



- 49 - 

header portion allowing the distinction between an information frame and a control 
frame; 

b) a control unit (15) receiving as an input the data coming from the 
monitoring device (9) and comprising means for the discrimination of the control 
frames from the information frames; 

c) a dating unit (16) connected to the control unit (15) and associating a 
monitoring time to the control frames and to the information frames; 

d) a discriminated data storing unit (17), storing the control and the 
information frames and the monitoring time thereof, bidirectionally connected to the 
control unit (15); 

e) a predetermined data storing unit (18), bidirectionally connected to the 
control unit (15), said predetermined data representing possible interpretations of the 
information frames contained in the discriminated data storing unit (17); 

f) means for comparing, by the control unit (15), said predetermined data 
stored in the storing unit (18) with the data contained in the body portion of the 
information frames stored in the discriminated data storing unit (17), thus 
reconstructing the information frames according to their specific application syntax; 

g) means for ordering, according to the time and kind of communication, 
the information frames reconstructed according to their specific application syntax, 
thus reconstructing application sequences occurred between a determined source 
processor and a determined destination processor; and 

h) means for ordering said information frames ordered according to the 
time and kind of communication also according to a logical criterion, thus 
reconstructing the logical path of said application sequences occurred between a 
determined source processor and a determined destination processor. 

11. The access control device according to claim 10, characterized in that said 
means for ordering said information frames according to a logical criterion comprise 
means for reciprocally comparing the body portion of the information frames. 

12. The access control device according to claim 10, characterized in that said 
means for ordering said information frames according to a logical criterion comprise 
means for comparing each sequence of body portions of the information frames with 
a set of predetermined sequences, said predetermined sequences representing 
possible interpretations of the information frames sequences contained in the 
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discriminated data storing unit (17), said predetermined sequences being contained in 
said predetermined data storing unit (18). 

13. The access control device according to any of the preceding claims, 
5 characterized in that it is implemented using a board installed on the processor on 
which the client applications operate. 
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